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(54) Database management apparatus and encrypting/decrypting system 

(57) In a database, a frequently retrieved column is 
encrypted using a common key, and other columns are 
encrypted using a specific row key Thus, a retrieving 
process can be performed at a high speed, and the 
security can be improved. Then, the row and column of 
the database are encrypted by assuming the plaintext to 
be encrypted as a bit string, and performing a binary 
operation with a random bit string. A random bit string is 
obtained by sequentially generating multidimensional 
vectors using a nonlinear function by defining a prede- 
termined bit length as 1 word and a plurality of words as 
components of the multidimensional vector. 
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Description 



Background of the Invention 
5 Field of the Invention 

[0001] The present invention relates to an encryption/decryption system used in a system for performing encrypted 
data communications, and to a database management apparatus for encrypting and managing a database. 

w Description of the Related Art 

[0002] In an information system such as a computer and a network used by a large number of general users, there 
is a serious problem that some malicious users illegally access and amend information. Therefore, the encryption tech- 
nology has been widely adopted as an effective countermeasure. A well-known encryption technology is disclosed in 
75 detail by the following document. 

[0003] 'Communications of the ACM Vol.21, No.2 (1978) P120. A Method for Obtaining Digital Signatures and Pub- 
lic Key Crypto systems: R. L. Rivest, A. Shamir, and L. Adleman, MIT Laboratory for Computer Science and Depart- 
ment of Mathematics' 

[0004] The encrypting method published in this document is generally accepted as a considerably reliable method, 
20 and is referred to as an RSA (Rivest-Sharmir-Adleman) method. A system derived from this RSA method has been 
developed as an authentication system for a signature used in an electronic trading system, and has been put to prac- 
tical use. 

[0005] The RSA method is a public key (asymmetric) encryption system based on the difficulty in factorization in 
prime numbers, and obtains as ciphertext a remainder obtained by dividing a result of raised data by a large integer. 

25 The feature of the RSA method is that it is difficult to find two original primes (p and q) from the product of the two orig- 
inal primes. Even if the product of the two primes can be detected, it is very difficult to detect the p and the q, or estimate 
the decoding operation. The above mentioned RSA method is practical in a sense, and highly reliable when the bit 
length of data as an encryption key is long enough. To guarantee the reliability, it is normal to use encryption key data 
of 256 bits in length. However, it is not long enough in some cases, and the necessity of an encryption key of 512 or 

30 1 024 bits in data length is actually discussed. However, since the data length is practically limited by the operation pre- 
cision and operation speed of a computer, it is not efficient to have a long bit. 

[0006] That is, there has been the problem with the RSA method and the encrypting method derived from the RSA 
method that the reliability of these methods is limited by the performance of a computer. There also is the problem that 
the methods require a considerable change in the reliability test, etc. of the authentication system based on the change 
35 in bit length of an encryption key. 

[0007] In addition, since the database management apparatus has to encrypt and store the database which is man- 
aged therein to guarantee the security of the database. 

[0008] To improve the security, a more complicated encrypting process can be performed, but it also requires a long 
time to perform operations. 

40 [0009] A database contains a large volume of data. In a data retrieving process, data relating to a specific item and 
matching given conditions is selected from the large volume of data, and a record (row data) containing an item data 
matching the condition is output. Therefore, in a data retrieval system for processing a large volume of data, a pro- 
longed operation time lowers the performance of the system. 

[0010] As described above, a database containing a confidential data is required to guarantee security, and an 
45 encrypting process to improve the security has the problem that the process can lower the availability of the database. 
[0011] Conventionally, when a database is encrypted, it is normal that the entire target file is encrypted using a fixed 
encryption key generated by, for example, a password, etc. 

[0012] However, as described above, since an encrypting process has been performed using a fixed encryption key 
according to the conventional system, the security level of each data item is averaged. In addition, when there are a 
so plurality of items containing the same data, the same encryption results are output, thereby causing the possibility that 
the encryption key can be decrypted. 

Summary of the Invention ^ . ; t 

sfc [0013] The present invention aims at providing an encryption/decryption apparatus capable of performing an 
encrypting process without a precision operation result and realizing a general purpose encrypting/decrypting process 
which is highly reliable and easily adds and changes an application. 

[0014] Another object of the present invention is to provide a database management apparatus capable of guaran- 
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items, encrypts the data of other column items requiring high security using a row key specific to each row with the row 
key further encrypted using another key common among the rows. 

[0027] Practically, the database management apparatus according to the present invention includes: a first encryp- 
tion unit for encrypting data of predetermined column items of a database using a column key common among the col- 
umn items, and encrypting data of other column items using a row key specific to each row; a second encryption unit 
for encrypting the row key used in encrypting the data of other column items in the database encrypted by the first 
encryption unit using another key common among the rows; and a storage unit for storing the database encrypted by 
the first encryption unit together with the row key encrypted by the second encryption unit. 

[0028] With the configuration, when a database is encrypted, the data of the column items other than a'predeter- 
mined column item used. in a retrieving process can be encrypted using a different key for each row so that different 
values can be obtained as encryption results of the data having the same values in the column items. Furthermore, 
higher security can be realized by complicating the decryption of the key by re-encrypting the key (row key), which is 
used in encrypting the column items, using another key 

[0029] In addition, when the row key is generated using a row number assigned to each row of the database and a 
random number, which makes the encryption of the key furthermore difficult, the security can be successfully rein- 
forced. 

[0030] Furthermore, a database system can be configured by a first terminal device for managing a database, and 
a second terminal device for searching the database independent of the first terminal device. 

[0031 ] In the database, the first terminal device encrypts the database, stores the encrypted database in a storage 
medium and distributes the storage medium, and the second terminal device retrieves data in the stored encrypted 
database stored in the distributed storage medium, decrypts the data obtained as the retrieval result, and displays the 
resultant data. In this case, the data of the predetermined column item of the database is encrypted using a column key 
common among the column items, the data of other column items is encrypted using a row key specific to each row, 
and the row key is encrypted using another key common among the rows, thereby storing the database in a storage 
medium and distributing the storage medium with the security successfully guaranteed. 

Brief Description of the Drawings 

[0032] 

FIG. 1 shows the configuration of the database management apparatus according to the first embodiment of the 
present invention; 

FIG. 2 is a flowchart of the operations of the database encrypting process performed by the database management 
apparatus; 

FIGS. 3A and 3B are flowcharts of the operations of the database searching process performed by the database 
' management apparatus; 

FIGS. 4A and 4B are flowcharts of the practical operations of the retrieving process in step H1 3 shown in FIG. 1 8A; 
FIG. 5 shows the configuration of the database according to the first embodiment of the database management 
apparatus of the present invention; FIG. 5(a) shows the state before encryption; FIG. 5(b) shows the state after 
encryption; and FIG. 5(c) shows the state after decryption; 

FIG. 6 shows the configuration of the column key and the row key according to the first embodiment of the database 
management apparatus; 

FIG. 7 shows the configuration of the database according to the second embodiment of the database management 
apparatus; FIG. 7(a) shows the state before encryption; FIG. 7(b) shows the state after encryption of the present 
invention; and FIG. 7(c) shows the state after decryption; 

FIG. 8 shows the configuration of the composite key according to the second embodiment of the database man- 
agement apparatus of the present invention; 

FIG . 9 is a block diagram of the configuration of the database system according to the third embodiment of the data- 
base management apparatus of the present invention; 

FIG. 10 shows the database management apparatus according to the fourth embodiment of the present invention; 
FIG. 11 is a block diagram of the configuration of the functions of the database management apparatus; 
FIG. 12 shows the configuration of the dialog for setting a basic key in the database management apparatus; 
FIG. 13 shows an example of a basic key parameter table in the database management apparatus; 
FIG/14 shows the configuration of the dialog for setting a key specification in the database management appara- 
tus; 

FIG. 15 shows an example of an entry in the key specification table in the database management apparatus; 
FfG. 16 shows the dataflow when the database is encrypted and decrypted in the database management appara- 
tus; 
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teeing the security of a database, and quickly retrieving data. 

rod 51 A further object of the present invention is to provide a database management apparatus capable of encrypt- 
ng a specific data item in a database with the security improved more than that of another data ,tem. That is, the data- 
base management apparatus according to the present invention encrypts data of a column item used In a retneving 
process using a column key commonly used for the column item, and encrypts data of other column .terns using a row 

S^^hVe^c^on device according to the present invention includes: a plaintext data obtaining unit for obtain- 
ng plaintext data to be encrypted; a vector generation unit for sequentially generating vectors defined ,n a closec area 
of an n(n>1 )-dimensional space; and a logical operation unit for generating encrypted data with a log.cal operation per- 
formed on the plaintext data obtained by the plaintext data obtaining unit arid the vector element generated by the vec- 
tor generation unit in bit units. On the other hand, a decryption device according to the present invention also indudes 
tSe vector generation unit; and an inverse logical operation unit for decoding the plaintext data by an inverse operation 
of the loqica! operation using the ciphertext data. 

[0017] The database management apparatus uses the encryption device according to the present invention in a 
aata encrypting process, and uses the decryption device according to the present invention when ciphertext data is 
decrypted into plaintext data. 

m018l The encryption system according to the present invention includes: a vector generation unit for general ng a 
vector r, using each element of a vector defined in a closed area of the n(n>1)-dimensional space, and an angle £l n 
determined by a parameter set P in such a way that each of the vectors r, (j > 0) sequentially generated using a non- 
linear function containing at least the n-dimensional rotation matrix R n (OJ for rotation of the vector cannot match each 
other in the n-dimensional space; and a binary operation unit for generating encrypted data using a binary operation of 
plaintext data and the element of the vector r, generated by the vector generation unit. 

[00191 The decryption system according to the present invention includes: a vector generation unit for general ng a 
vector r using each element of a vector defined in a closed area of the n(n>1)-dimensional space, and an angle fi n 
determined by a parameter set P in such a way that each of the vectors r, (j > 0) sequentially generated using a non- 
linear function containing at least the n-dimensional rotation matrix R n (n n ) for rotation of the vector cannot match each 
other in the n-dimensional space; and an inverse binary operation unit for receiving encrypted data generated in a 
binary operation of plaintext data and the element of a vector r, generated in a method similar to that of the vector gen- 
eration unit and decrypting the plaintext data in an inverse binary operation corresponding to an inverse operation of 
the binary operation using the vector r, generated by the vector generation unit and the encrypted data. 
r00201 With the above mentioned configuration, the vectors defined in the closed area of the n(nsl)-dimensional 
space are sequentially generated, and ciphertext data is generated in a logical operation of plaintext data to be 
encrypted and the element of the vector. 

[00211 Thus by encrypting plaintext data using elements of multidimensional vector, an encrypt.ng process can be 
performed without a precision operation such as the RSA method, etc., and a reliable general-purpose encrypt- 
ing/decrypting process capable of easily adding and changing an application can be realized. 
r00221 The database management apparatus according to the present invention includes: an encryption unit for 
enervating data of a predetermined column item of a database using a column key common among the column items, 
and encrypting data of other column items using a column key specific to each row; and a storage unit for storing a data- 

40 base encrypted by the encryption unit. 

r00231 With the configuration, the security can be improved by assigning a different key to each row when a data- 
base is encrypted. When a retrieving process is performed, a high-speed retrieving process can be real.zed by encrypt- 
ing data input for retrieval using a column key common among the predetermined column items, and comparing the 
item data of the encrypted retrieving data and the item data of the encrypted database. 

[00241 In addition the security can be furthermore reinforced by encrypting the data of the column items other than 
the column item used in the retrieving process using the combination of the row key specific to each row and the column 
kev common among the column items. 

r00251 Furthermore, a database can be stored in a separate place to generate a database system so that a request 
for a retrieving process can be issued from a separate information terminal through a network. In this case, the data of 
a predetermined column item (column item used in a retrieving process) is encrypted using a column key common 
among the column items, and the data of other column items is encrypted using a row key specific to each row. When 
a request to retrieve a database is issued from another information terminal, the retrieving data is encrypted using a 
column key common among the column items, and the encrypted retrieving data is transmitted through a network. By 
receiving the retrieving data, the process of retrieving the encrypted database can be performed, and the encrypted 
data obtained as a retrieval result Is returned to the information terminal through the network. Therefore, since data is 
transmitted constantly in an encrypted state, the database security can be guaranteed. 

[00261 When a database is encrypted, the database management apparatus according to the present invention 
encrypts the data of the column items used in a retrieving process using a column key common among the column 
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FIGS. 1 7A and 1 7B are flowcharts of the operations of the database encrypting process performed by the database 
management apparatus; 

FIGS. 1 8A and 1 8B are flowcharts of the operations of the database searching process performed by the database 
management apparatus; 

5 FIGS. 19A and 19B are flowcharts of the practical operations of the retrieving process in step P13 shown in FIG. 

18A; 

FIG. 20 shows the configuration of the database in the database management apparatus; FIG. 20(a) shows the 
state before encryption; FIG. 20(b) shows the state after encryption of the present invention; and FIG. 20(c) shows 
the state after decryption; 

io FIG. 21 is a block diagram of the configuration of the database according to the fifth embodiment of the database 
management apparatus of the present invention; 

FIG. 22 shows the contents of the data of the storage medium used in the database system; 
FIG. 23 shows the configuration of the system for performing encrypted data communications according to an 
embodiment of the present invention; 
15 FIG. 24 is a block diagram of the configuration of the circuit of the PC the security device used in the system; 
FIG. 25 shows the configuration of the database of the security device; 

FIG. 26 is a flowchart of the operations of the process of the PC and the security device when a user entry is made 
in the embodiment; 

FIG. 27 is a flowchart of the operations of the process of the PC and the security when data is encrypted in the 
20 embodiment; 

FIGS. 28A and 28B are flowcharts of the operations of the encrypting and decrypting processes in the embodi- 
ment; 

FIG. 29 shows the method of encryption operations using multidimensional vectors according to the present inven- 
tion; 

25 FIG. 30 shows the configuration of the system showing the principle of the encryption/decryption system according 
to the present invention; 

FIG. 31 shows an example of the internal functions of devices 110 and 112 shown in FIG. 8; 
FIG. 32 is a flowchart of the process of generating a multidimensional vector; 

FIG. 33 is a flowchart of the encryption/decryption system using the process of generating a multidimensional vec- 
30 tor; 

FIG. 34 is a flowchart of the decrypting process according to an embodiment of the present invention; 

FIG. 35 is a flowchart of the process of generating a three-dimensional vector r } according to an embodiment of the 

present invention; 

FIG. 36 is a flowchart of the process of generating an n-dimensional rotation matrix R n (fl n ) according to an embod- 
35 iment of the present invention; and . 

FIGS. 37A through 37C show the rotating operation of the three-dimensional vector according to an embodiment 
of the present invention. 

Description of the Preferred Embodiments 

40 

[0033] An embodiment of the present invention is described by referring to the attached drawings. 
[0034] FIG. 1 shows the configuration of the database management apparatus according to the present invention. 
[0035] The apparatus includes a database in a matrix form in rows and columns, and has the functions of encrypt- 
ing and managing the database, encrypting input retrieving data, and searching the database according to the 
45 encrypted retrieving data. It reads a program stored in a storage medium such as a magnetic disk, etc., and is realized 
by a computer whose operation is controlled by the program. 

[0036] As shown in FIG. 1,the apparatus comprises a CPU 311, a display device 31 2, an input device 313, a pro- 
gram storage device 314, a key storage device 315, and a data storage device 316. 

[0037] The CPU 31 1 controls the entire apparatus, reads the program stored in the program storage device 314, 
so and performs various processes according to the program. According to the present embodiment, the CPU 31 1 per- 
forms a database encrypting process as shown in FIG. 2, and a database searching process as shown in FIGS. 3A 
through 4B. 

[0038] The display device 312 is a device for displaying data. For example, an LCD (liquid crystal display), a CRT 
(cathode-ray tube), etc. are used. The input device 313 is a device for inputting data, and can be, for example, a key- 
55 board, a mouse, etc. 

[0039] The program storage device 314 comprises, for example, ROM, RAM, etc. and stores a necessary program 
for the apparatus. The apparatus requires a program such as a database management program, an encryption pro- 
gram, etc. 



5 



EP 1 089 194 A2 



[0040] The program storage device 314 can comprise, in addition to semiconductor memory, a magnetic and an 
optical storage medium. The storage medium includes a portable medium such as CD-ROM, etc. and a fixed medium 
such as a hard disk, etc. All or a part of the program stored in the storage medium can be received from a transmission 
control unit of a server and a client through a transmission medium such as a network circuit, etc. The storage medium 
5 can be a storage medium of a server provided in a network. Furthermore, the program can be designed to be installed 
in the appliances of a server and a client after being transmitted to the server and the client through a transmission 
medium such as a network circuit, etc. 

[0041] The key storage device 315 comprises, for example, RAM, etc. and stores a key (a row key and a column 
key) used when a database is encrypted. 

w [0042] The data storage device 31 6 is a device for storing various data necessary for the apparatus, and comprises, 
for example, RAM or an external storage device such as a magnetic disk device, etc. The data storage device 316 is 
provided with a database storage area 31 6a for storing a database, an encryption setting information storage area 31 6b 
for storing information (an item to be retrieved, a non-encrypted item, etc.) set by an operator when a database is 
stored, a retrieval setting information storage area 316c for storing information (a target column item, a retrieval char- 

15 acter string, etc.) set by an operator when a database is searched, a comparison character string storage area 31 6d for 
storing a comparison character string when a database is searched, etc. 

[0043] Before describing the operations of the apparatus, the database encrypting method used by the apparatus 
is first described below. 

[0044] If a different key is used for each row (record) when a database is encrypted, it becomes more difficult to 

20 decrypt a key, thereby improving the security. However, since the encrypted data has to be decrypted using a key for 
each row or the input retrieving data (keyword) has to be encrypted using a key for each row when a database is 
searched, it takes a long time to obtain a retrieval result. On the other hand, if a database is encrypted using a different 
key for each column, retrieving data is encrypted using only a key corresponding to a column item to be retrieved, 
thereby searching a database at a high speed. However, when there are the same data in the same column, the same 

25 encryption results are output, which may allow the key to be decrypted. 

[0045] The feature of the present invention resides in that the data of a column item frequently used in a retrieving 
process is encrypted using a common column key, and the data of other column items is encrypted by assigning a dif- 
ferent key to each row when a database is encrypted. That is, the security can be improved by using a different key for 
each row, and a high-speed retrieving process can be realized by encrypting the data input to a retrieving item using a 

30 column key, and comparing the encryption result with the encrypted data in the database. 

[0046] FIG. 5 shows the configuration of the database according to the first embodiment of the database manage- 
ment apparatus of the present invention; FIG. 5(a) shows the state before encryption; FIG. 5(b) shows the state after 
encryption; and FIG. 5(c) shows the state after decryption. FIG. 6 shows the configuration of the column key and the 
row key according to the first embodiment of the database management apparatus. 

35 [0047] As shown in FIG. 5(a), the apparatus has a matrix in rows and columns. FIG. 5(a) shows personal data as 
a database. The database has a record comprising the items of: 'number', 'name', 'weight', 'height*, 'age', and 'phone'. 
[0048] The database is encrypted using a column key and a row key. That is, when a column item frequently used 
in a retrieving process comprises 'name', 'state', and 'age', the data of each row of the column item is encrypted using 
a column key common among column items such as the 'apple 1 , 'orange', 'lemon', etc. as shown in FIG. 6, and the data 

40 of each row of other column items 'weight', 'height', and 'phone' is encrypted using a key specific to each row. 

[0049] It is assumed that the row of the 'number' is not encrypted. As a row key, 'tiger 1 , 'dog', 'cat', 'mouse', 'ele- 
phant', 'cow', 'pig', 'rabbit*, 'lion', etc. are used. 

[0050] These column keys and row keys determine a predetermined nonlinear function, and an encrypting 
(decrypting) process is performed by a binary operation (inverse binary operation) of the function and the vector math- 
45 ematically generated using the function. In this case, the encryption/decryption system according to the present inven- 
tion can be used as described below. 

[0051] FIG. 5(b) shows the result of encrypting the database shown in FIG. 5(a) using the column key and the row 
key. The database storage area 31 6a of the data storage device 31 6 stores the database in the state as shown in FIG. 
5(b). 

so [0052] When the database is searched, the retrieving data is encrypted using a column key corresponding to the 
column item used in the retrieval, and then a retrieving process is performed. For example, when the data such as 'Flor- 
ida' in the 'State* is to be retrieved, the 'Florida' input as a retrieving data is encrypted using the column key 'apple' of 
the 'state', thereby obtaining 'h7fDD\ The data such as the 'hVfDD' is retrieved from each row of the column of the 
'state'. Thus, it is determined that the data corresponding to the *number2' and 'numbers* exist. 

55 [0053] In addition, when the encrypted database is restored to the original state, the column key and the row key 
used in the encrypting process are used. When the data is decrypted using the column key and the row key used in the 
database encrypting process as shown in FIG. 5(b), the original data can be obtained as shown in FIG. 5(c). 
[0054] Described below are the operations of the apparatus. 
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I [0069] If an input column item to be retrieved is not a predetermined column item (NO in step 111), then the retriev- 
\ ing character string is not encrypted. 

| [0070] After the above mentioned pre-retrieval process, the database is searched (refer to FIG. 4A)(step HI 3), and 
the data obtained as a retrieval result is displayed on the display device 312 (step H14). 

5 [0071] FIGS. 4A and 4B show a database searching process. 

[0072] FIGS. 4A and 4B are flowcharts of the practical operations of the retrieving process in step H13. 
[0073] First, as shown in the flowchart shown in FIG. 4A, a retrieving character string is set in the comparison char- 
acter string storage area 31 6d of the data storage device 316 as a character string to be compared with the database 
(step J1 1). In this case, as described above, if a column item input to be retrieved is a predetermined column item 

10 'name', 'state', and 'age'), then the retrieving character string is encrypted using the column key corresponding to the 
column item, and set in the comparison character string storage area 31 6d in the pre-retrieval process. If the input item 
is not a predetermined column item, it is not encrypted, remains unchanged, and set in the comparison character string 
storage area 31 6d. 

[0074] Then, the encryption system is determined by a column number of the encrypted database stored in the 
15 database storage area 31 6a of the data storage device 31 6 (step J1 2). Thus, when an item to be retrieved is a prede- 
termined column item encrypted using a column key, the data in each row of the target column is sequentially scanned 
(steps J12 and J13), and the character string of the data of the target item contained in the specified row is compared 
with the retrieving character string (encrypted character string) set in the comparison character string storage area 
31 6d (step J 14): 

20 [0075] In the comparing process, as shown in the flowchart shown in FIG. 4B, the encrypted character string of the 
data of a target item retrieved from the database is compared with the encrypted character string for use in a retrieving 
process, and it is determines whether or not they match each other (step K1 1). When they match each other (YES in 
step K1 1), the record data containing the matching items is extracted as a database search result (step K12). 
[0076] The process is repeated until the end of the encrypted database, the corresponding data is sequentially 

25 extracted (step J15), and the extracted data is output as a retrieval result (step J20). 

[0077] Practically, in the example of the encrypted database shown in FIG. 5(b), for example, if the data such as 
'Florida' in the item 'state', etc. is specified for retrieval, then the 'Florida' input as retrieving data is encrypted using the 
column key 'apple' of the 'state', thereby obtaining 'hVfDD'. The data such as the 'hVfDD', etc. is retrieved from the col- 
umn of the 'state'. Thus, it is determined that the data corresponding to both 'number 2' and 'number 8' exists. 

30 [0078] On the other hand, when an item to be retrieved corresponds to one of other column items encrypted using 
a row key, the data in each row of the target column is sequentially scanned (steps J1 2 through J 16), the data of a target 
item contained in a specified row is decrypted using a row key specific to each row (step J17), and then the result is 
compared with the retrieving character string (non-encrypted character string) set in the comparison character string 
storage area 31 6d (step J1 8), 

35 [0079] In the comparing process, as shown in the flowchart shown in FIG. 4B, it is determined whether or not the 
decrypted character string of the data in a target column retrieved from the database matches the non-encrypted char- 
acter string for use in a retrieving process (step K1 1 ). If they match each other (YES in step K1 1 ), then the record data 
containing the matching item is extracted as a database retrieval result (step K12). 

[0080] The process is repeated to the end of the encrypted database, the corresponding data is sequentially 

40 extracted (step J1 9), and the extracted data is output as a retrieval result (step J20). 

[0081] Practically, in the example of an encrypted database shown in FIG. 5(b), for example, when the data such 
as '163' in the item 'eight' is specified to be retrieved, the data in row 1 of the 'weight' is decrypted using a row key such 
as the 'tiger 1 , etc. Similarly, the data in rows 2, 3, 4, 5, 6, 7, 8, and 9 is decrypted respectively using the corresponding 
row keys 'tiger', 'dog', 'cat', 'mouse', 'elephant', 'cow', 'pig', 'rabbit', and 'lion' as shown in FIG. 6. Then, based on the '1 63' 

45 input as retrieving data, the column of the 'state' or the corresponding data is retrieved. Thus, it is determined that the 
data corresponding to the 'number 3' and 'number 9' exists. 

[0082] Thus, when a database is encrypted, a predetermined column item used in a retrieving process is encrypted 
using a common column key. In a retrieving process, retrieving data is encrypted using the common column key,, and 
compared with the encrypted data in the database, thereby realizing high-speed retrieval. In addition, a column item 
so other than the predetermined column item is assigned a different key for each row and encrypted to improve the secu- 
rity. In this case, when a retrieving process is performed, the decryption using a key for each row is required. Therefore, 
it takes a longer time than in the retrieving process on the predetermined column item, which, however, is not a problem 
because the item is not frequently used in the retrieving process. 

[0083] According to the first embodiment, the data of the column items other than a predetermined column item is 
55 encrypted using a specific row key for each row. However, according to the second embodiment, a specific row key for 
each row and a common column key for a corresponding column item are used in combination in an encrypting process 
to furthermore improve the security, 

[0084] FIG. 7 shows the configuration of the database according to the second embodiment; FIG. 7(a) shows the 
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[0055] The process (a) of encrypting a database, and the process (b) of retrieving a database are separately 
described below. The program for realizing each function shown in the flowchart in FIGS. 2 through 4 is stored in a storr 
age medium of the program storage device 314 in program code readable by the CPU. The program can also be trans- 
mitted through a transmission medium such as a network circuit. 

5 

(a) When a database is encrypted: 

[0056] FIG. 2 is a flowchart of the operations of the database encrypting process performed in the apparatus. FIG. 
5(a) shows the state of the non-encrypted database stored in the database storage area 316a of the data storage 
w device 31 6. 

[0057] First, on the database encryption setting screen, a database to be encrypted is specified (step G1 1 ). 
[0058] Then, in the column items provided in the database, a column item used in a retrieving process and a col- 
umn item not to be encrypted are set (step G12). In the example shown in FIG. 20(a), the column items used in a 
retrieving process are 'name' 'state', and 'age', and the column item not to be encrypted is 'number 1 . The set information 

15 is stored in the encryption setting information storage area 31 6b of the data storage device 31 6. 

[0059] Then, the row key and the column key used when the database is encrypted are determined (step G 1 3). The 
information about the determined row key and column key is stored in the key storage device 315. 
[0060] When the column items in the database are sequentially specified after the above mentioned setting opera- 
tions (step G14), the encryption system for the column item is determined according to the setting information (step 

20 G15). In this case, since the column item of the 'number' in the database is set as a non-encrypted item, no process is 
performed. That is, the item of the 'number' is unchanged as the original data. 

[0061] When the specified column item is set as a column item to be used in a retrieving process, a common col- 
umn key for the column item stored in the key storage device 315 is read (steps G15 and G16), and the data in each 
row of the column item is encrypted using the column key (step G1 7). That is, the data of each row of each item of the 
25 'name', 'state', and 'age* of the database is encrypted using a key specific to each column such as 'apple', 'orange', 
'lemon', etc. as shown in FIG. 6. 

[0062] If the specified column item is not set as a column item for use in a retrieving process, that is, the other col- 
umn items, then a row key corresponding to each row stored in the key storage device 315 is read (steps G15 through 
G1 8), and the data of each row of the column item is encrypted using a specific row key (steps G19 and G20). That is, 
30 as for the data of each item of the 'state', 'weight', and 'height 1 of the database, the data in row 1,2,3, 4, 5, 6, 7, 8, and 
9 is encrypted respectively using the corresponding row keys 'tiger 1 , 'dog', 'cat', 'mouse', 'elephant', 'cow', 'pig', 'rabbit', 
and 'lion' as shown in FIG. 6. 

[0063] Thus, the encrypting process is repeatedly performed for each column item of the database. When the data 
encrypting process is completed on each row of all column items, the encrypted database is overwritten in the database 
35 storage area 31 6a of the data storage device 31 6 (step G22). FIG. 5(b) shows this state. 

(b) When a database is retrieved: 

or- ^ 

[0064] FIGS. 3A and 3B are flowcharts of the operations of the database retrieving process performed by the appa- 
\ 40 ratus. 

[0065] Assume that a database is encrypted in the encrypting process described above in (a) above, and stored in 
the data storage device 31 6. 

[0066] First, as shown in the flowchart shown in FIG. 3A, the database retrieval setting screen, retrieval information 
is input (step H1 1 ). Inputting retrieval information refers to inputting a column item to be retrieved, and a retrieving char- 
ts acter string (keyword). The input information is stored in the retrieval setting information storage area 316c of the data 
storage device 31 6. When the retrieval information is input through the input device 313, a pre-retrieval process is per- 
formed (step H12). 

[0067] In this pre-retrieval process, as shown in the flowchart shown in FIG. 3B, it is determined whether or not the 
column item input to be retrieved is a pre-retrieval process column item (step 111). If yes (YES in step 11 1), then the 
retrieving character string is encrypted using a common column key for the column item (step 112). 
[0068] A predetermined column item refers to an item to be retrieved (item used in a retrieving process) set when 
the database is encrypted, and practically corresponds to each of the items 'name', 'state', and" 'age'. The information 
relating to the item to be retrieved is stored in the encryption setting information storage area 316b of the data storage 
device 316. Therefore, in step 111, it is determined whether or not an input column item is a predetermined column item 
by referring to the encryption setting information storage area 316b. A common column key item to the column items is 
stored in the key storage device 31 5. Therefore, in step 1 1 2, a column key corresponding to the column item is read from 
the key storage device 315, and a retrieving character string is encrypted. For example, if the specified item is 'state', 
then a retrieving character string can be encrypted using the column key such as 'orange', etc. 
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state before encryption; FIG. 7(b) shows the state after encryption; and FIG. 7(c) shows the state after decryption. FIG. 
8 shows the configuration of the composite key according to the second embodiment. 

[0085] As shown in FIG. 7(a), the apparatus has a matrix in rows and coiumns. Here shows personal data as a 
database. The database has a record comprising the items of: 'number 1 , 'name', 'weight', 'height', 'age', and 'phone'. 
[0086] The database is encrypted using a composite key. That is, when a column item frequently used in a retriev- 
ing process comprises 'name', 'state', and 'age', the data of each row of the column item is encrypted using a column 
key common among column items such as the 'apple', 'orange', 'lemon', etc. as shown in FIG. 8, and the data of each 
row of other column items 'weight', 'height', and 'phone' is encrypted using a composite key of a column key and a row 
key such as 'banana + a row key', 'lychee + a row key', 'apricot + a row key 1 , etc. 

[0087] It is assumed that the row of the 'number 1 is not encrypted. As a row key, 'tiger 1 , 'dog', 'cat', 'mouse', 'ele- 
phant', 'cow', 'pig', 'rabbit', 'lion 1 , etc. are used. 

[0088] These column keys and row keys determine a predetermined nonlinear function, and an encrypting 
(decrypting) process is performed by a binary operation (inverse binary operation) of the function and the vector math- 
ematically generated using the function. In this case, the encryption/decryption system according to the present inven- 
tion can be used as described below. 

[0089] FIG. 7(b) shows the result of encrypting the database shown in FIG. 7(a) using a composite key. The data- 
base storage area 31 6a of the data storage device 31 6 stores the database in the state as shown in FIG. 7(b). 
[0090] When the database is searched, as in the above mentioned first embodiment, the retrieving data is 
encrypted using a common column key corresponding to the column item used in the retrieval, and then a retrieving 
process is performed. For example, when the data such as 'Florida' in the 'State' is to be retrieved, the 'Florida' input as 
a retrieving data is encrypted using the column key 'apple' of the 'state', thereby obtaining 'hVfDD'. The data such as 
the 'hVfDD' is retrieved from each row of the column of the 'state'. Thus, it is determined that the data corresponding to 
the 'number2' and 'number8' exist. 

[0091] In addition, when the encrypted database is restored to the original state, the composite key used in the 
encrypting process is used. When the data is decrypted using the composite key used in the database encrypting proc- 
ess as shown in FIG. 7(b), the original data can be obtained as shown in FIG. 7(c). 

[0092] Since the processes performed when a database is encrypted or when an encrypted database is searched 
are the same as those of the above mentioned first embodiment (FIGS. 2 through 4B) except the data of each row of 
the column items other than a predetermined column item is encrypted using a combination of a column key and a row 
key, the explanation of the processes are omitted here. 

[0093] Thus, the column items frequently used in a retrieving process are encrypted using a column key common 
among the column items, thereby realizing high speed retrieval as in the above mentioned first embodiment. Other col- 
umn items are encrypted using a column key and a row key as a composite key, thereby furthermore reinforcing the 
security. 

[0094] According to the first and second embodiments, the present invention is designed as a single apparatus, but 
can also be designed as a database system for requesting a retrieving process from another information terminal 
through a network with the database stored in separate places. 
[0095] Described below is the above mentioned database system. 

[0096] FIG. 9 is a block diagram of the configuration of the database system according to the third embodiment of 
the present invention. 

[0097] The system comprises a first terminal device 320 and a second terminal device 330. The first terminal 
device 320 is connected to the second terminal device 330 through a network 340. 

[0098] The first terminal device 320 is used as a server computer for providing a database service, and comprises 
a retrieval device 321 for searching a database, and a data storage device 322 for storing a database. The second ter- 
minal device 330 requests the first terminal device 320 to search a database, receives the result from the first terminal 
device 320 as a client computer, and comprises a retrieval request device 331 and a decryption device 332. 
[0099] With the database system, the first terminal device 320 encrypts the data of each row of a predetermined 
column item of a database using a column item common among corresponding column items as described above by 
referring to FIG. 2, encrypts the data of each row of other column items using a row key specific to each row, and stores 
the result in the data storage device 322. 

[0100] When the second terminal device 330 requests the first terminal device 320 to search a database, the sec- 
ond terminal device 330 performs the processes up to the pre-retrieval process shown in FIG. 3A. That is, the retrieval 
request device 331 of the second terminal device 330 determines whether or not a column item input to be retrieved is 
a predetermined column item, and encrypts a retrieving character string (keyword) using a column key common among 
corresponding column items when the input column item is a predetermined column item. When the input column item 
is not the predetermined column item, the encrypting process is not required. 

[0101] After the pre-retrieval process, the second terminal device 330 transmits a retrieving character string to the 
first terminal device 320 through the network 340. The first terminal device 320 performs the retrieving process as 
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described above by referring to FIGS. 4A and 4B by receiving the retrieving character string. 

[0102] That is, the retrieval device 321 of the first terminal device 320 determines whether or not a column item to 
be retrieved is a predetermined column item, compares the retrieving character string (encrypted character string) 
obtained from the second terminal device 330 with the data of each row of the corresponding column item in the 

5 encrypted database in the data storage device 322 if the column item is a predetermined column item, and extracts the 
corresponding data. In addition, if a column item to be retrieved is an item other than the predetermined, then the data 
of the corresponding column item of the encrypted database in the data storage device 322 is decrypted using a key 
for each row, the retrieving character string (non-encrypted character string) obtained from the second terminal device 
330 is compared with the decrypted data of each row, and the corresponding data is extracted. 

10 [0103] When a retrieval result can be obtained, the first terminal device 320 returns the data obtained as the 
retrieval result as encrypted data to the second terminal device 330 through the network 340. The second terminal 
device 330 shares an encryption key with the first terminal device 320. Therefore, when the second terminal device 330 
receives a retrieval result from the first terminal device 320, the decryption device 332 can decrypt the data using the 
encryption key. In this case, since encrypted data is communicated between the first terminal device 320 and the sec- 

75 ond terminal device 330, the security of the database can be guaranteed. 

[0104] Thus, even in a database system having a database on the first terminal device 320 to search the database 
by access from the second terminal device 330, the data of a column item frequently used in a retrieving process is 
encrypted using a column key common among the corresponding column items, and the data of other column items are 
encrypted using a row key specific to each row, thereby improving the security and realizing high-speed retrieval. 

20 [0105] The data of the column items other than the predetermined column item can be encrypted using a Compos- 
ite key of a row key specific to each row and a column key common among the corresponding column items as in the 
above mentioned second embodiment, thereby furthermore improving the security. 

[0106] Described below is a further embodiment of the database management apparatus according to the present 
invention. 

25 [0107] FIG. 10 shows the configuration of the database management apparatus according to the fourth embodi- 
ment of the present invention. 

[0108] The apparatus encrypts and manages a database arranged as a matrix in rows and columns, and searches 
the encrypted database. It can be realized by a computer for reading a program which is stored in a storage medium 
such as a magnetic disk, etc., and controls the operations of the computer. 

30 [01 09] As shown in FIG. 1 0, the apparatus comprises a CPU 411 , a display device 41 2, an input device 41 3, a pro- 
gram storage device 414, a key generation device 415, a data storage device 416, and a database l/F 417. 
[0110] The CPU 41 1 controls the entire apparatus, reads a program stored in the program storage device 414, and 
performs various processes according to the program. According to the present embodiment, the CPU 41 1 performs 
an encrypting process for a database as shown in FIGS. 17A and 17B, and a retrieving process for the database as 

35 shown in FIGS. 1 8A through 1 9. 

[0111] The display device 412 is a device for displaying data, and can be, for example, an LCD (liquid crystal dis- 
play), a CRT (cathode-ray tube), etc. The input device 413 is a device for inputting data, and can be, for example, a key- 
board, mouse, etc. 

[0112] The program storage device 414 comprises for example, ROM or RAM, etc., and stores a program required 
40 by the apparatus. A program required by the apparatus can be, a database encryption program, a database search pro- 
gram, etc. 

[0113] The program storage device 41 4 can be, in addition to semiconductor memory, magnetic and optical storage 
media. The storage medium includes a portable medium such as CD-ROM, etc. and a fixed medium such as a hard 
disk, etc. A program stored in the storage medium can be designed such that a part or all of the program can be trans- 

45 mitted from a server or a client to a transmission control unit through a transmission medium such as a network circuit, 
etc. Furthermore, the storage medium can be that of a server provided in a network. Furthermore, the program can be 
transmitted to a server or a client through a transmission medium such as a network circuit, etc. 
[0114] The key generation device 415 is a device for generating an encryption key used in encrypting a database, 
and comprises, in this embodiment, a basic key generation unit 41 5a, a row key generation unit 41 5b, and a column key 

so generation unit 41 5c for generating three encryption keys, that is, a basic key, a row key, and a column key respectively. 
[0115] The data storage device 41 6 stores various data and tables required for the apparatus, and comprises RAM, 
or an external storage device such as a magnetic disk device, etc. The data storage device 41 6 comprises a basic key 
parameter table 416a, a basic key storage unit 416b, a key specification table 416c, an encrypted data storage unit 
41 6d, and a retrieval character string storage unit 41 6e. 

55 [0116] The basic key parameter table 41 6a is a table in which a parameter value of a basic key is entered, (refer to 
FIG. 1 3). The basic key storage unit 41 6b stores a parameter value of a basic key obtained in a specifying operation by 
an operator. The key specification table 416c is a table storing the types (non-encryption, a row key, a column key) of 
encryption system defined for each column (field) of a database (refer to FIG. 15). The encrypted data storage unit 41 6d 



10 



EP 1 089 194 A2 



stores an encrypted database. The retrieval character string storage unit 41 6e stores a retrieving character string spec- 
ified by an operator when a database is searched. 

[0117] The database l/F 417 is an interface for transmitting arid receiving data to and from an external database 
storage device 418 provided independent of the apparatus. The external database storage device 418 contains a plu- 
5 rality of database files (original data), and these database files are designed to be selectively read by access from the 
apparatus. 

[0118] Described below is the method of applying the above mentioned encryption system to a database in the 
apparatus. 

[0119] When a database is encrypted, it is difficult to decrypt a key if a different key is used for each row (record), 
to thereby improving the security. However, since the encrypted data has to be decrypted using a key for each row or the 
input retrieving data (keyword) has to be encrypted using a key for each row when a database is searched, it takes a 
long time to obtain a retrieval result if a different key is used for any row. On the other hand, if a database is encrypted 
using a different key for each row (field), retrieving data is encrypted using only a key corresponding to a column item 
to be retrieved, thereby searching a database at a high speed. However, when there are the same data in the same col- 
15 umn, the same encryption results are output, which may allow the key to be decrypted. 

[0120] The feature of the present invention resides in that the data of a column item frequently used in a retrieving 
process is encrypted using a common key (column key), the data of other column items is encrypted using a different 
key (row key) for each row, and the key (row key) different for each row is encrypted using another common key (basic 
key) among the rows. The encrypting process (decrypting process) using a basic key can determine a predetermined 
20 nonlinear function, and an encrypting (decrypting) process is performed by a binary operation (inverse binary opera- 
tion) of the function and the vector mathematically generated using the function. In this case, the encryption/decryption 
system according to the present invention can be used as described below. 
[0121] FIG. 20 shows a practical example. 

[0122] FIG. 20 shows the configuration of the database of the apparatus according to the present invention; FIG. 
25 20(a) shows the state before encryption; FIG. 20(b) shows the state after encryption of the present invention; and FIG. 
20(c) shows the state after decryption. 

[0123] As shown in FIG. 20(a), the apparatus encrypts a database arranged in a matrix in rows and columns. In this 
example, personal data is processed as a database. The database contains column items (fields) of 'code', 'name', 
'state', 'age', and 'phone'. 

30 [0124] The database is encrypted using a column key and a row key. That is, when a column item frequently used 
in a retrieving process comprises 'state' and 'age', the data (record) of each row of the column item is encrypted using 
a column key common among column items, and the data of each row (record) of other column items 'name' and 
'phone' is encrypted using a specific row key for each row. Thus, the results are stored in a record file. At this time, a 
row key used when the corresponding column item is encrypted is encrypted using a basic key, and the encrypted row 

35 key is added to each record, and the result is stored. The data of the column item 'code' is not encrypted. 

[0125] FIG. 20(b) shows the result of encrypting the database shown in FIG. 20(a) using the column key and the 
row key. In this case, the column item such as 'line key' is added, and row keys (9658, 9143, 8278, ...) are added to the 
column item. The encrypted data storage unit 41 6d of the data storage device 41 6 shown in FIG. 1 0 stores a database 
in the state shown in FIG. 20(b). 

40 [0126] When the database is searched, the retrieving data is encrypted using a column key corresponding to the 
column item used in the retrieval, and then a retrieving process is performed. For example, when the data such as 'Flor- 
ida' in the 'State' is to be retrieved, the 'Florida' input as a retrieving data is encrypted using the column key of the 'state', 
thereby obtaining 'h*/fDD'. The data such as the 'hVfDD' is retrieved from each row of the column of the 'state'. Thus, it 
is determined that the data corresponding to the 'code 1002' and 'code 1008' exist. 

45 [0127] In addition, when the encrypted database is restored to the original state, the column key the row key, and 
the basic key used in the encrypting process are used. When the data is decrypted using the column key, the row key, 
and the basic key used in the database encrypting process as shown in FIG. 20(b), the original data can be obtained 
as shown in FIG. 20(c). 

[0128] Described below is the practical configuration for encrypting/decrypting a database. 
50 [0129] FIG. 1 1 is a block diagram of the configuration of the functions of the apparatus according to the present 
invention. 

[0130] The input process system of the apparatus comprises a basic key specification unit 421 , a basic key setting 
unit 422, a key specification input unit 423, and a key specification setting unit 424. The encryption process system of 
the apparatus comprises a data read unit 425, a record input memory 426, an encrypting unit 427, an encrypted record 
55 write memory 428, and a data write unit 429. The encryption process system of the apparatus comprises an encrypted 
record read memory 430, a decrypting unit 431 , a record output memory 432, and a data output unit 433. in addition, 
the above mentioned basic key parameter table 41 6a, the basic key storage unit 41 6b, the key specification table 41 6c, 
and the encrypted data storage unit 41 6d are used. The basic key parameter table 41 6a is used for the basic key setting 
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unit 422. The basic key storage unit 416b, the key specification table 416c, and the encrypted data storage unit 41 6d 
are used for both encrypting unit 427 and decrypting unit 431. 

[0131] Various types of memory 426, 428, 430, and 432 shown in FIG. 1 1 is a group of registers, and provided in 
a predetermined area of the data storage device 41 6. 
5 [0132] When a database is encrypted with the configuration, a basic key is specified in an operation of an operator 
through the basic key specification unit 421 . The basic key setting unit 422 reads the parameter value of the basic key 
specified by the basic key specification unit 421 froni the basic key parameter table 416a, and sets it in the basic key 
storage unit 416b. 

[0133] Practically, the basic key is specified through the basic key setting dialog as shown in FIG. 12. The basic key 

10 setting dialog is a screen for optional specification of a basic key by an operator. On the screen, a basic key specification 
button unit 441, an OK button 442, and a cancel button 443 are provided. The basic key specification button unit 441 
comprises a plurality of buttons. When an operator presses an optional button among these buttons, a parameter value 
of the basic key is determined depending on the position of the pressed button. The OK button 442 is used to guarantee 
the specification of a basic key, and the cancel button 443 is used to cancel the specification of the basic button. 

15 [0134] For example, assume that 16 buttons 1 through 16 are arranged on the basic key specification button unit 
441 sequentially from left to right. As shown in FIG. 13, the parameter value of the basic key is defined corresponding 
to the positions of these buttons on the basic key parameter table 41 6a. When an operator presses the button 1 on the 
basic key specification button unit 441 , the parameter value of 5 of the basic key is determined according to the basic 
key parameter table 416a. Similarly, when the button 2 on the basic key specification button unit 441 is pressed, the 

20 parameter value of 7 of the basic key is determined. 

[0135] Then, the external database storage device 41 8 is accessed, and the database to be encrypted is specified 
from among various databases stored in the external database storage device 418. After specifying the database, the 
operator specifies a key specification for each data item of the database through the key specification input unit 423. 
The key specification setting unit 424 enters the key specification information in the key specification table 416c in the 

25 specifying operation of the key specification by the key specification input unit 423. 

[0136] Practically, the key specification is entered through the key specification setting dialog as shown in FIG. 14. 
The key specification setting dialog is a screen on which an encryption system (type of key used in encryption) is option- 
ally specified by an operator for each array item (field) of the database. On the screen an encryption system specifica- 
tion column 451 , an OK button 452, and a cancel button 453 are provided. 

30 [0137] As an encryption system, a key (row key) can be used for each row, or a key (row key) common among the 
columns can be used. In this example, a value can be input as an encryption system for each column item of a database 
to the encryption system specification column 451 . The value can be 0 (non-encryption), 1 (a row key), or 2 (a column 
key). The OK button 452 is used to set the key specification. The cancel button 453 is used to cancel the setting of the 
key specification. When the encryption system is specified in the key specification setting dialog, the contents of the 

35 specification are entered in the key specification table 41 6c as the key specification information for each column item. 
[0138] FIG. 1 5 shows an example of an entry in the key specification table 41 6c. 

[0139] In this example, non-encryption is set as the item of the column number 1 of the database, a row key is set 
as the item of the column number 2, a column key is set as the item of the column number 3, a column key is set as the 
item of the column number 4, and a column key is set as the item of the column number 5. The item having the column 
40 number of 1 is 'code'. The item having the column number of 2 is 'name'. The item having the column number of 3 is 
'state', the column having the column number of 4 is 'age 1 , and the item having the column number of 5 is 'phone'. 
[0140] When a basic key is set in the basic key storage unit 416b, and when key specification information for each 
column item is set in the key specification table 416c, the database is encrypted in the following procedure according 
to the setting information 

45 [0141] That is, as shown in FIG. 1 1 , a database specified from the external database storage device 418 is read in 
row units (record units) by the data read unit 425, and sequentially stored in the record input memory 426. The encrypt- 
ing unit 427 encrypts a record stored in the record input memory 426 using the basic key parameter table 41 6a and the 
basic key storage unit 41 6b. The encrypting process is described below in detail by referring to FIG. 16. 
[0142] After a record is encrypted by the encrypting unit 427 and stored in the encrypted record write memory 428, 

so it is written to the encrypted data storage unit 41 6d through the data write unit 429. Thus, the encrypted database is 
generated in the encrypted data storage unit 41 6d. 
[0143] The database is decrypted in the inverse procedure. 

[0144] That is, first, the encrypted database stored in the encrypted data storage unit 41 6d is read in row units 
(record units), and sequentially stored in the encrypted record read memory 430. The decrypting unit 431 decrypts the 
55 encrypted record stored in the encrypted record read memory 430 using the key specification table 41 6c and the basic 
key storage unit 41 6b. The decrypting process is described below in detail by referring to FIG. 1 6. The record decrypted 
by the decrypting unit 431 is stored in the record output memory 432, and is then output to a data file 434 through the 
data output unit 433. Thus, a decrypted database is generated in the data file 434. The data file 434 is provided in a 
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predetermined area of the data storage device 41 6 shown in FIG. 10. 
[0145] FIG. 1 6 shows a practical example. 

[0146] FIG. 1 6 shows the flow of data when a database is encrypted and decrypted in the apparatus according to 
the present invention. 

5 [0147] Assume that the record in row 1 of the database specified to be encrypted is read by the data read unit 425, 
and stored in the record input memory 426. In this case, using the database shown in FIG. 20(a) as an example, the 
data having 5 items, that is, '1 001 ', 'John', 'New York', '22', '407-228-661 1 ' in row 1 of the database is sequentially stored 
in the record input memory 426. 

[0148] The encrypting unit 427 encrypts the 5-item record for each item by referring to the key specification table 
io 416c. For example, when the contents set in the key specification table 416c are as shown in FIG. 15, the first item 
('code') data of the record corresponding to the column number 1 is not encrypted, and is written as is to the encrypted 
record write memory 428. 

[0149] In addition, the second item ('name') data of the record corresponding to the column number 2 is encrypted 
using a row key, and is written to the encrypted record write memory 428. A row key is generated at random using the 
75 row number and random numbers, and a different value is used for each row. The data of the third item ('state') of the 
record corresponding to the column number 3 is encrypted using a column key. The column key has a value common 
among the columns. 

[0150] Similarly, the data of the fourth item ('age') of the record corresponding to the column number 4 is encrypted 
using a column key, and the data of the fifth item ('phone') of the record corresponding to the column number 5 is 

20 encrypted using a row key. Then, they are written to the encrypted record write memory 428. Thus, a 1-row encrypted 
data of '100i\ 'wjls', 'noevjolc', 'jh', and 'jgdltytfhDSk' is generated in the encrypted record write memory 428. 
[0151] Furthermore, the encrypting unit 427 encrypts a row key used when the record is encrypted using the 
parameter value set in the basic key storage unit 41 6b and a basic key common among the rows, and then the row key 
after the encryption is added to the encrypted record write memory 428. In the example shown in FIG. 16, the data 

25 '9568' is a row key after the encryption. 

[0152] The above mentioned process is repeatedly performed on each row of the database, and the encrypted 
database is stored in the encrypted data storage unit 41 6d. FIG. 20(b) shows this state. 

[0153] When an decrypting process is performed, the process inverse to the encrypting process is performed. 
[0154] That is, the encrypted database stored in the encrypted data storage unit 41 6d is read in a record unit to the 
30 encrypted record read memory 430. Assuming that the encrypted record in row 1 is read to the encrypted record read 
memory 430, in the above mentioned example, a 6-item encrypted data of '1001', 'wjls', 'noevjolc', 'jgdltytfhDSk', and 
'9568' containing a row key is sequentially stored in the encrypted record read memory 430. 

[0155] The decrypting unit 431 decrypts the 6-item data record corresponding to each item by referring to the key 
specification table 416c. In the example shown in FIG. 15, the data of the first item ('code') corresponding to the column 

35 number 1 is non-encrypted, the data is written as is to the record output memory 432. 

[0156] The data of the second item ('name') corresponding to the column number 2 is decrypted using a row key, 
and the result is written to the record output memory 432. Since the row key is encrypted in the encrypting process 
using a basic key, the row key is decrypted using the basic key to restore it to the original data. In addition, the data of 
the second item ('name') corresponding to the column number 3 is decrypted using a column key and written to the 

40 record output memory 432. 

[0157] Similarly, the data of the fourth item ('age') corresponding to the column number 4 is decrypted using a col- 
umn key, and the data of the fifth item ('phone') corresponding to the column number 5 is decrypted using a row key. 
The results are written to the record output memory 432. Thus, 1-row decrypted data (original data), that is, '1001', 
•John', 'New York', '22', '407-228-661 V is generated in the record output memory 432. 

45 [0158] The above mentioned process is repeatedly performed on each row of the encrypted database, and the 
decrypted database is stored in the data file 434. FIG. 20(c) shows this state. 

[0159] The operations of the apparatus according to the present invention are described below by referring to the 
flowchart. 

[0160] In this example, the process (a) performed when a database is encrypted, and the process (b) performed 
50 when a database is searched are separately described below. The program for realizing each function in the flowchart 
is stored as CPU-readable program code in the storage medium of the program storage device 414. The program can 
be transmitted as program code through a transmission medium such as a network circuit. 

* 

(a) When. a database is encrypted: 

55 

[0161] FIGS. 17A and 17B are flowcharts of the operations of the database encrypting process performed by the 
apparatus according to the present invention. Assume that a non-encrypted database is stored in the external database 
storage device 418. FIG. 17A shows this state. 
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[0162] When a database is encrypted, a basic key is first set as shown in the flowchart in FIG. 17A (step N11). The 
basic key is set through the basic key setting dialog as described above. 

[0163] That is, as shown in the flowchart in FIG. 17B, the basic key setting dialog shown in FIG. 12 is displayed on 
the display device 41 2 when a database is encrypted (step 01 1 ). The basic key setting dialog is provided with the basic 
5 key specification button unit 441 , and the operator specifies a basic key by pressing an optional button in a plurality of 
buttons arranged on the basic key specification button unit 441 . 

[01 64] if the operator pressed the OK button 452 to specify a basic key after the operator presses an optional button 
in the basic key specification button unit 441 (step 012), then the parameter value of the basic key corresponding to the 
position of the button is read from the basic key parameter table 41 6a shown in FIG. 13, and is set in the basic key stor- 

w age unit 41 6b .(step 01 3). 

[0165] Then, a database to be encrypted is specified (step N12). According to the present invention, the external 
database storage device 41 8 independent of the present apparatus stores various databases (original data). Therefore, 
when an encrypting process is performed, the external database storage device 418 is accessed through the database 
l/F 417, and a database is to be encrypted should be specified. 

75 [0166] After a database to be encrypted is specified, a column item for use in a retrieving process in the database 
and a column item not to be encrypted are set (step N1 3), and an encryption key (a row key and a column key) for each 
column item is determined (step N14). 

[0167] The setting process is performed through the key specification setting dialog as shown in FIG. 14. The key 
specification setting dialog is a screen on which an encryption system (type of key used in encryption) is optionally 

20 specified by an operator for each column item (field) of the database. The screen is displayed on the display device 41 2 
when a database to be encrypted is specified. In this example, a value can be input as an encryption system for each 
column item of a database to the encryption system specification column 451 provided in the key specification setting 
dialog shown in FIG. 31 . The value can be 0 (non-encryption), 1 (a row key), or 2 (a column key). 
[0168] In this case, in the database shown in FIG. 20(a), the column items used in a retrieving process are 'state' 

25 in column 3, and 'age' in column 4. A column key is specified for these column items, and a row key is specified for other 
items 'name' in column 2 and 'phone' in column 5. A column item not to be encrypted is 'code* in column 1 . The encryp- 
tion key set in this example is entered in the key specification table 416c as key specification information as shown in 
FIG. 15. 

[0169] After the setting operation, the database is encrypted as follows. 
30 [0170] That is, the data in each row of the database is sequentially read from the first row to the record input mem- 
ory 426 shown in FIG. 1 1 (step N15). At this time, a row key is generated at random based on a line number assigned 
to each row by the row key generation unit 415b of the key generation device 415 and a random number, and is stored 
in a predetermined area of the data storage device 41 6 (step N1 6). 

[0171] Each column item of the row data read to the record input memory 426 is sequentially specified from the first 
35 column (step N1 7), and the encryption system for the specified column item is determined according to the key speci- 
fication information stored in the key specification table 416c (step N18), and is encrypted using a row key or a column 
key (steps N1 9 through N22). 

[0172] Practically, since the item 'code' in the first column of the database is set as a non-encryption item as shown 
on the key specification table 41 6c shown in FIG. 1 5, no action is taken (steps N1 8 through N23). That is, the item 'code' 
40 remains original data. 

[0173] Since a row key is set for the item 'name' in the second row, the row key (specific to each row) corresponding 
to the row number generated in step N1 6 is read from a predetermined area of the data storage device 41 6 (steps N1 8 
through N21 ), and the data in the second column is encrypted using the row key (step N22). 

[0174] In addition, since a column key is set for the item 'state' in the third column, the column key (key common 
45 among the columns) corresponding to the column number is generated by the column key generation unit 415c of the 
key generation device 415 (steps N18 and N19), and the data in the third column is encrypted using the column key 
(step N20). 

[0175] Similarly, the item 'age' in the fourth column is encrypted using a column key, and the item 'phone' in the fifth 
column is encrypted using a row key. 

so [0176] The encrypted data of each column item is stored in the encrypted record write memory 428 shown in FIG. 
1 1 . When the last item is encrypted, the row key used in encrypting the second and third columns of the data of the line 
is encrypted using the basic key, and added to the encrypted record write memory 428 (step N25). The basic key is gen- 
erated by the basic key generation unit 415a of the key generation device 415. The basic key generation unit 415a 
reads the parameter value set by the operator in the basic key setting dialog shown in FIG. 12 from the basic key stor- 

55 age unit 41 6b, and generates a basic key based on the parameter value. 

[0177] When 1 -row encrypted data and data obtained by encrypting a row key using a basic key are stored in the 

encrypted record write memory 428, the data is stored in the encrypted data storage unit 41 6d (step N25). 

[0178] The above mentioned encrypting process is repeatedly performed on each row (steps N26 through N15). 
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When the data in all rows are encrypted, the final state of the encrypted database is shown in FIG. 20(b). In this 
encrypted database, the row key is encrypted using a basic key, and is added to the last item of each row. 

(b) When a database is searched: 

[0179] The process of searching an encrypted database is described below. 

[0180] FIGS. 18A and 18B are flowcharts of the operation of the database searching process performed in the 
present apparatus. Assume that a database is encrypted in the encrypting process shown in (a) above and stored in 
the basic key storage unit 416b. 

[0181] First, as shown in the flowchart in FIG. 1 8A, the retrieval information is input on the database search setting 
screen not shown in FIG. 18A (step P11). An input of the retrieval information refers to inputting a column item to be 
retrieved and a retrieving character string (keyword). The input information is stored in a predetermined area of the data 
storage device 41 6. When the retrieval information is input through the input device 41 3, the pre-retrieval process is per- 
formed (step P12). 

[0182] In this pre-retrieval process, as shown in the flowchart in FIG. 18B, it is determined whether or not the col- 
umn item input to be retrieved is a predetermined column item (step Q1 1). When it is determined that the input item is 
a predetermined column item (YES in step Q11), the retrieving character string is encrypted using a column key com- 
mon among the column items (step Q12). 

[0183] A predetermined column item refers to an item to be retrieved which is set when the database is encrypted. 
Practically, it refers to each of the items 'state' and 'age'. A column key is set for an item to be retrieved. Therefore, it is 
determined in step Q1 1 whether or not an input item is a predetermined column item depending on the type of key set 
for the corresponding column item by referring to the key specification table 416c. If it is a predetermined column item, 
then a column key corresponding to the column item is generated by the column key generation unit 415c of the key 
generation device 415, and the retrieving character string is encrypted using the column key. 

[0184] If the input column item input to be retrieved is not a predetermined column item (NO in step Q1 1), then the 
retrieving character string is not encrypted as described above. 

[0185] ■ After the above mentioned pre-retrieval process, the database is searched (refer to FIGS. 19A and 19B) 
(step P13), and the data obtained as a retrieval result is displayed on the display device 412 (step P14). 
[0186] FIGS. 1 9 A and 1 9B shows the process of searching a database. 

[0187] FIGS. 1 9A and 1 9B are flowcharts of practical operations of the searching process in step P13. 
[0188] First, as shown in the flowchart in FIG. 19A, a retrieving character string is"set as a character string to be 
compared with the database in the retrieval character string storage unit 41 6e of the data storage device 416 (step 
R1 1 ). In this case, if the input item is a column item to be retrieved ('state', 'age'), then the retrieving character string is 
encrypted using a column key corresponding to the column item in the pre-retrieval process, and the result is set in the 
retrieval character string storage unit 41 6e. If the input item is not the column item to be retrieved, then it is not 
encrypted, but is set as is in the retrieval character string storage unit 41 6e. 

[0189] Then, the encryption system of the encrypted database stored in the basic key parameter table 416a of the 
data storage device 416 is determined based on the column number (step R12). If an item to be retrieved is a prede- 
termined column item encrypted using a column key, then each row data in a target column is sequentially scanned 
(steps R12 and R13), and an encrypted character string in the row is compared with a retrieving character string 
(encrypted character string) set in the retrieval character string storage unit 41 6e (step R1 4). 

[0190] In this comparing process, the encrypted character string in the row, which is retrieved from the database, 
is compared with the retrieving encrypted character string as shown in the flowchart in FIG. 19B; and it is determined 
whether or not they match each other (step S1 1). If they match each other (YES in step S1 1 ), then the record data 
including the matching item is extracted as a database retrieval result (step S12). 

[0191] The process is repeated up to the end of the encrypted database, the corresponding data is sequentially 
extracted (step R15), and the extracted data is output as a retrieval result (step R21 ). 

[0192] Practically,' in the example of the encrypted database shown in FIG. 20(b), when the data 'Florida' in the item 
'state' is specified to be retrieved, the 'Florida' input as retrieving data is encrypted using the column key in row 3 of 
'state', thereby obtaining 'hVfDD'. The data 'hVfDD' is retrieved from the column of 'state'. Thus, the data corresponding 
to the code numbers of 1001 and 1008 exists. 

[0193] When an item to be retrieved is a column item encrypted using a row key, row data of the target column is 
sequentially scanned (steps R1 2 through R16). Since each row key used when each piece of row data is encrypted is 
encrypted using a basic key, it is necessary to decrypt each row key using a basic key (step R1 7). When each row key 
is decrypted using a basic key, an encrypted character string in each row is decrypted using a row key (step R18), and 
the decrypted character string is compared with the retrieving character string (non-encrypted character string) set in 
the retrieval character string storage unit 41 6e (step R19). 

[0194] In this comparing process, the encrypted character string in the row, which is retrieved from the database, 
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is compared with the retrieving encrypted character string as shown in the flowchart in FIG. 19B, and it is determined 
whether or not they match each other (step S1 1 ). If they match each other (YES in step S11), then the record data 
including the matching item is extracted as a database retrieval result (step S12). 

[0195] The process is repeated up to the end of the encrypted database, the corresponding data is sequentially 

5 extracted (step R20), and the extracted data Is output as a retrieval result (step R21). 

[0196] Practically, in the example of the encrypted database shown in FIG. 20(b), when the data 'Jhon' in the item 
'name' is specified to be retrieved, the row key '9654' (encrypted data) corresponding to the row 1 of the 'name* is 
decrypted using a basic key, and then 'wJIS' in row 1 is decrypted using the row key, thereby obtaining the data such 
as 'Jhon'. Similarly, after a row key (encrypted data) corresponding to each row is decrypted using a basic key, the orig- 

w inal data is obtained by decrypting the data of each row using the row key. As shown in FIG. 20(c), after the data of each 
row of the item 'name' is decrypted using each row key, data matching 'Jhon' input as retrieving data is retrieved from 
the decrypted data. Thus, it is determined that the data corresponding to the code number of '1 001' exists. 
[0197] Thus, when a database is encrypted, a predetermined column item used in a retrieving process is encrypted 
using a common column key so that the retrieving data can be encrypted using the common column key in the retrieving 

75 process, and compared with the encrypted data in the database, thereby realizing a high-speed retrieving process. Fur- 
thermore, a column item other than the predetermined column item is encrypted using a key specific to each row, and 
the row key is encrypted using a basic key, thereby complicating the decryption of the keys and realizing high security. 
[0198] According to the fourth embodiment, the present invention is designed in device units, but a database sys- 
tem can be designed in terminal units by dividing the terminals into those for database management and those for data- 

20 base search. 

[0199] Described below is a database system according to the fifth embodiment of the present invention. 
[0200] FIG. 21 is a block diagram of the configuration of the database system according to the fifth embodiment. 
[0201 ] The present system comprises a server device 1 1 00 and a plurality of (thee terminals in this example) port- 
able terminals 1200a, 1200b, 1200c, ... The server device 1100 communicates online with each of the portable termi- 

25 nals 1200a, 1200b, 1200c, and they communicate data through storage media 1400a, 1400b, 1400c, ... 

[0202] The server device 1 1 00 is used as a server computer for providing database services, and comprises a dis- 
tribution data collection device 1101 for collecting data to be distributed to each terminal, an encryption device 1 102 for 
encrypting a database, a AP software storage unit 1103 for storing various application software (AP), and a database 
storage unit 1 1 04 for storing various databases. The AP software storage unit 1 1 03 and the database storage unit 1 1 04 

30 can be, for example, a data storage device such as a magnetic disk device, etc. In addition, the server device 1 1 00 can 
also comprise a display device, an input device, etc. normally provided for a general-purpose computer not shown in 
the attached drawings. 

[0203] On the other hand, the portable terminals 1200a, 1200b, 1200c, ... are used as a client computer for receiv- 
ing a database from a server device. 

35 [0204] The portable terminal 1200a comprises a decryption device 1201a for decrypting an encrypted database, 
and a database search device 1 202a for searching a database. The portable terminals 1 200b and 1 200c have the sim- 
ilar configuration, and respectively comprise decryption devices 1201 b and 1201c, and database search devices 1202b 
and 1202c. The portable terminals 1200a, 1200b, 1200c, ... are provided with a medium read device in addition to a 
display device, an input device, etc. although they are not shown in the attached drawings. These portable terminals 

40 1200a, 1200b, 1200c, ... are not provided with a browsing function for viewing data online, and are designed to commu- 
nicate data with the server device 1 100 through the storage media 1 400a, 1400b, 1400c, ... 

[0205] The storage media 1400a, 1400b, 1400c, ... are portable storage media containing, for example, CF cards 
(compact flash memory cards). A card reader/writer 1 300 is a device for writing and reading data to and from the stor- 
age media 1 400a, 1 400b, 1 400c, and is connected to the server device 1 1 00. 

45 [0206] With the configuration, the server device 1 1 00 reads a database specified by an operator from among vari- 
ous databases in the database storage unit 1 1 04, and encrypts it through the encryption device 1 1 02. In this case, the 
encryption device 1 1 02 encrypts the database in the method similar to that used in the fourth embodiment. That is, a 
predetermined column item used in a retrieving process is encrypted using a common column key while column items 
other than the predetermined column item are encrypted using a different key for each row, and the row key is 

50 encrypted using a basic key. 

[0207] The database encrypted by the encryption device 1102 is stored in a file, and the encrypted data file is 
stored in the storage media 1400a, 1400b, 1400c, ... such as a CF card, etc. using the card reader/writer 1300. in this 
case, when an encrypted data file is stored in the storage media 1400a, 1400b, 1400c, a key specification table 
1 403, a basic key parameter table 1 404, and a application program 1 401 are stored in addition to an encrypted data file 

55 1402 as shown in FIG. 22. 

[0208] The key specification table 1403 is a table storing the type (non-encryption, a row key, a column key) of 
encryption system defined for each column (field) of a database, and has the configuration similar to that of the key 
specification table 41 6c according to the fourth embodiment (refer to FIG. 15). The basic key parameter table 1404 is a 
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table in which a parameter value of a basic key is entered, and has the configuration similar to that of the basic key 
parameter table 416a according to the fourth embodiment (refer to FIG. 13).The key specification table 1403 and the 
basic key parameter table 1404 are stored in the encryption device 1 102. The application program 1401 is used when 
a database is searched, and is stored in the AP software storage unit 1 103. 
5 [0209] The storage media 1400a, 1400b, 1400c, ... are respectively distributed to the portable terminals 1200a, 
1200b, 1200c, ... Each user can retrieve data by inserting the distributed storage media 1400a, 1400b, 1400c, ... in his 
or her own terminal. 

[0210] That is, for example, the portable terminal 1200a inserts the distributed storage medium 1400a, and reads 
the key specification table 1403 and the basic key parameter table 1 404 in addition to the application program 1401 and 

w the encrypted data file 1402 stored in the storage medium 1400a for the data retrieving process. Then, the application 
program 1401 for a data retrieving process is activated, a predetermined column item is specified, the encrypted data 
file 1402 is retrieved, and the data obtained as a result of the retrieval is decrypted and displayed. 
[021 1] A data retrieving process is performed by the database search device 1 202a provided in the portable termi- 
nal 1200a. The database search device 1202a is operated according to the application program 1401, and is similar to 

is the database search device according to the fourth embodiment. Data is decrypted by the decryption device 1201a. 
The decryption device 1201a performs a database decrypting process as in the fourth embodiment by referring to the 
key specification table 1403 and the basic key parameter table 1404. 
• [0212] Thus, if a database system is designed with a database management terminal independent of a database 
retrieval terminal, then a customer managing database can be encrypted and stored in a storage medium, and then dis- 

20 tributed to a sales person. Thus, the sales person can use another terminal to retrieve data. In this case, since the data- 
base stored in the storage medium is encrypted in the above mentioned method, the security of the data can be 
guaranteed. The storage medium stores not only an encrypted data file, but also a data retrieving application program. 
Therefore, it is not necessary for a portable terminal to be provided with a data retrieving application program, and the 
system can be realized with a simple portable terminal. 

25 [0213] According to the database management apparatus, the data of a column item other than a predetermined 
column item used when a retrieving process is performed is encrypted using a different key for each row, and the key 
used when the column item is encrypted is encrypted using another key, thereby complicating the decryption of a key 
and realizing high security. 

[0214] Described below is the encryption/decryption system used in the database management apparatus. 

30 [0215] FIG. 23 shows the concept of the configuration of an encrypted data communications system. In FIG. 23, 
1 1a and 1 1b are personal computers (hereinafter referred to as PCs), and 12a and 12b are security devices. In this 
example, data communications are established between the PC 1 1 a of a user A and the PC 1 1 b of a user B. 
[0216] The PCs 11a and 11b are general-purpose computers, and they can be respectively connected to the secu- 
rity devices 12a and 12b. The security devices 12a and 12b comprises IC cards. Information is written to the security 

35 devices 1 2a and 1 2b when they are delivered from their factory. The information includes the production number of an 
IC card, the user ID of each member of a group, and an encryption key (private key P1 , P2). The information is common 
among the members of a group, and is not public. 

[0217] FIG. 24 is a block diagram of the configuration of the circuit of the PC 1 1a and the security device 12a. The 
PC 1 1b and the security device 12b have the same configurations as the PC 1 1a and the security device 12a. 
40 [0218] The PC 1 1 a is a general-purpose computer comprising a CPU 21 , and processes data by invoking a primary, 
program. To the CPU 21 , a storage device 22, RAM 23, a keyboard 24, a display unit 25, and a card l/F (interface) 26 
are connected through a system bus. 

[0219] The storage device 22 comprises, for example, a hard disk device, a floppy device, a CD-ROM device, etc., 
and stores various data, programs, etc. In this example, it stores plaintext data to be encrypted, an authentication file 

45 described later, etc. In addition, a program stored in a storage medium (a disk, etc.) is installed in the storage device 
22. The CPU 21 reads a program installed in the storage device 22, and performs a process according to the program. 
[0220] The RAM 23 functions as the primary memory of the apparatus according to the present invention, and 
stores various data required to perform the process for the apparatus. The keyboard 24 is an input device for inputting 
data and issuing an instruction of various functions. The display unit 25 comprises, for example, a CRT (cathode ray 

so tube), an LCD (liquid crystal display), etc., and is a display device for displaying data. 

[0221] The card i/F 26 is connected to the security device 12a through a connector 27, and controls input and out- 
put of data to and from the security device 12a. 

[0222] The security device 12a comprises an IC card and a CPU 31 , and processes data by invoking a secondary 
program. ROM 32, RAM 33, and flash memory 36 are connected to the CPU 31 through a system bus. 
55 [0223] The ROM 32 stores a secondary program for realizing the function as the security device 12a. The RAM 33 
stores various data required for a process performed by the security device 12a. In this example, it comprises an input 
buffer 34 for temporarily storing data transmitted from the PC 1 1 a, and an output buffer 35 for temporarily storing data 
to be transmitted to the PC 1 1a. 
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[0224] Flash memory 36 is used as a storage device for storing a database 41 shown in FIG. 25. As shown in FIG. 
25, the database 41 comprises information (non-pubiic information) common among the members and information 
(public information) specific to each member. The information (non-public information) common among the members 
includes a production number, the user ID of each member of the group, and encryption key data (private key P1, P2). 
5 The information (public information) specific to each member includes encryption key data (public key P3, P4), and a 
password. The password is used as a part of the public key. 

[0225] A connector 37 is used to electrically connect the security device 1 2a to the PC 1 1 a. Briefly described below 
are the operations performed when encrypted data communications are set in the system shown in FIG. 23. 
[0226] First, the security devices 12a and 12b used as IC cards are transmitted to each member of a group. The 
10 security devices 12a and 12b are provided with the database 41 in which a production number, the user ID of each 
member of a group, and the encryption key data (private key PI, P2) are entered in advance. 

[0227] Each member writes the encryption key (public key P3, P4) and a password to the security devices 12a and 
12b. The written information is stored in the public portion of the database 41. 

[0228] When encrypted data is transmitted from the PC 1 la to the PC 1 1b, each member (users A and B) inserts 
15 the security devices 12a and 12b respectively to the PCs 1 1a and 1 1b to perform an encrypting process. In this case, 
according to the present invention, the encryption algorithm is based on the generation of a vector described later. 
[0229] At this time, the parameter (hereinafter also referred to as a 'constant) for determination of a nonlinear func- 
tion for generation of the vector is determined by an encryption key (private and public keys). The encrypted document 
is transmitted together with a public key to a correspondent. On the reception side, using the received public key and 
20 the receiver's private key, the encrypted document is decrypted using a vector generated using the same nonlinear 
function. 

[0230] Described below is the operation according to the embodiment. In this embodiment, by referring to the PC 
11a and the security device 12a shown in FIG. 23, the operations of the processes are described in each of the two 
modes of (a) user entry, and (b) data encryption. 

25 

(a) User entry 

[0231 ] First, a user makes a user entry when the usee established encrypted data communications using the secu- 
rity device 1 2a. That is, a member assigned the security device 1 2a (IC card) enters information about the public portion 
30 shown in FIG. 25 in his or her own PC 11a. 

[0232] FIGS. 26(a) and 26(b) are flowcharts of the operations of the processes of the PC 1 1a and the security 
device 12a performed when a user entry is made v 

[0233] A user inputs user authentication data in the PC 1 1 a through the primary program on the PC 1 1 a (step A1 1 ). 
In this case, the user authentication data refers to a user ID. The primary program transfers the input user ID to the input 
35 buffer 34 of the security device 12a (step A12). Then, it passes control to the secondary program on the security device 
12a. 

[0234] On the security device 12a side, when the secondary program confirms that the data is stored in the input 
buffer 34, it reads the data (step B11). Then, the secondary program accesses the flash memory 36 of the security 
device 12a, and checks whether or not the user ID input as the user authentication data has been entered in the data- 
40 base 41 stored in the flash memory 36. As a result, if the user ID has not been entered in the database 41 (NO in Step 
B12), then it is determined that the user is not a member of the group, and the process terminates (step B13). 
[0235] If the user ID has been entered in the database 41 (YES in step B12), then it is determined that the user is 
a member of the group, and the user is requested through the PC 1 1 a to enter his or her password and encryption key 
(public key)(step B14). 

45 [0236] In response to the request, the user inputs his or her password and encryption key (public key) (step A1 3). 
The primary program on the PC 1 1 a transfers the input password and the encryption key (public key) to the input buffer 
34 of the security device 12a (step A14). The password is used as a part of a public key. 

[0237] When the password and encryption key (public key) are input from the user authenticated as a group mem- 
ber, the secondary program of the security device 12a reads the input information, encrypts it as necessary, and writes 
so the result to the public portion of the database 41 stored in the flash memory 36 (step B15). 

[0238] At this time, the nonlinear function used by a user in an encrypting process is determined. A plurality of con- 
stants used in the function are fixed by a key. According to an embodiment of the present invention, a multidimensional 
vector generation function is used as a nonlinear function, which is described later in detail. 

[0239] After processing the information, the secondary program generates a report of the database 41 (step B16), 
55 stores it in the output buffer 35 of the security device 1 2a, and passes control to the primary program (step B1 7). 

[0240] To the above mentioned report, the encrypted data to be used by the primary program when a user authen- 
ticating process is performed is written. On the PC 1 1a side, the primary program confirms that data is stored in the 
output buffer 35 of the security device 1 2a, reads the data, and writes it as file data to the storage device 22 (step A1 5). 
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The written file data is processed as an authentication file, and is used for a user authentication check when encrypted 
data communications are hereinafter established (step A16). ' 

(b) Data encryption 

[0241] Data encryption refers to actually encrypting and transmitting a document. 

[0242] FIGS. 27(a) and 27(b) are flowcharts of the operations of the processes performed by the PC 1 1a and the 
security device 12a when data is encrypted. A user inputs his own user ID and password with the security device 12a 
(IC card) inserted in the PC 11a. By inputting the user ID and password, the primary program of the PC 11a refers to 
the authentication fiie, and authenticates the user (step C12). 

[0243] If the user is not a registered user (NO in step C121) as a result of the authentication check (step C121), 
then the primary program enters a termination procedure (step C1 6). If the user is a registered user (YES in step C1 21 ), 
then the primary program transmits the input user ID and password to the security device 12a (step C13). 
[0244] On the security device 12a, the secondary program reads the user ID and password (step D1 1), Then, the 
secondary program compares the information with the contents of the database 41 in the flash memory 36, and authen- 
ticates the user (step D1 2). 

[0245] As a result of the user authentication check, the secondary program generates an authentication report indi- 
cating whether or not the user has been registered in the security system, transfers the authentication report to the 
security device 12a, and passes it to the primary program of the PC 1 1a (step D13). 

[0246] On the PC 11a side, the primary program reads the authentication report transmitted from the security 
device 12a, and confirms that the user has been authenticated on the security device 12a side (step C14). 
[0247] If the user is rejected in the user authentication check, that is, if the authentication report indicates that the 
user is not a registered user (NO in step C15), then the primary program of the PC 11a notifies the user of it, and ter- 
minates the process (step C1 6). 

[0248] If the user is confirmed as a registered user in the user authentication check, that is, if the authentication 
report indicates that the user is a registered user (YES in step C15), then the primary program of the PC 1 1a performs 
the following encrypted data communications. 

[0249] That is, the primary program reads the plaintext data (generated documentjto be encrypted from the storage 
device 22, transfers it with the authentication report added to it to the input buffer 34 of the security device 12a, and 
passes control to the secondary program of the security device 12a (step C17). 

[0250] A authentication report is added to the plaintext data to allow the security device 12a to confirm that the doc- 
ument has been received from the registered user authenticated by the security device 12a. 

[0251] On the security device 12a side, the secondary program reads the plaintext data transmitted from the PC 
1 1a (step D14). If no authentication report is added to the plaintext data (NO in step D15), then it is determined that the 
document is not received from a registered user, thereby terminating the process (step D1 6). 

[0252] On the other hand, if an authentication report is added to the plaintext data (YES in step D15), then it is 
determined that the document is received from a registered user, and the secondary program encrypts the plaintext 
data by the encryption system using a multidimensional vector described later (step D17). Then, the secondary pro- 
gram stores a decryption key (public key) and encrypted data (encrypted document) in the output buffer 35 of the secu- 
rity device 1 2a, and transmits them to the PC 1 1 a (step D1 8). 

[0253] The primary program of the PC 1 1a receives the decryption key and the encrypted data (encrypted docu- 
ment) (step C18), outputs them as a file in the storage device 22 of the PC 11a, or passes control to the communica- 
tions software such as electronic mail, etc., and transmits them externally (to the PC 1 1b shown in FIG. 1 )(step C1 9). 
[0254] Described below are the operations of the encrypting process performed by the security device 1 2a. 
[0255] FIG. 28A is a flowchart of the operations of an encrypting process. 

[0256] The plaintext data (message data) to be encrypted is defined as M (step E1 1). The data M is binary data. . 
The secondary program of the security device 12a first applies a scramble 1 in bit units to the data M (step E12). The 
obtained data is defined as M' (step E13). 

[0257] The secondary program XORs (obtains an exclusive logical sum) by adding the data M' to the random num- 
bers generated mathematically and sequentially, and then performs an encrypting process (step E14). At this time, a 
generation function of a multidimensional vector r is used as a random number generation function. In this case, the 
function for generation of the multidimensional vector r, or a constant used for the function is determined by ah encryp- 
tion key (private and public keys). 

[0258] That is, the secondary program reads a private key (P1 , P2) and a public key (P3, P4) from the database 41 
when an encrypting process is performed, generates a multidimensional vector r according to the function using the 
encryption keys as a parameter constant, and performs a logical operation such as M' XOR r, thereby performing an 
encrypting process. Thus, the obtained encrypted data is defined as C (step E15). 

[0259] Practically, assume that, as shown in FIG. 29, r is a three-dimensional vector (x, y, z) and the computation 
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precision of the vector components x, y, and z is 1 6 bit. According to the equation (1 ) described later, the three-dimen- 
sional vectors r (x, y, z) are sequentialiy generated as rO, r1 , r2, r3, ... 

[0260] When the data M is given as mO ml m2 m3 m4 m5 m6 ... as a sequence of 8-bit data (a character string 
having 8 bits for each character), M is decomposed in two-element (8 bits) units based on the computation precision 
5 (16 bits). If the three-dimensional vector is rO, then the data M and rO (xO, yO, zO) are XORed (obtained as an exclusive 
logical sum), thereby performing computation by (x XOR mO m1)(y XOR m2 m3)(z XOR m4 m5)..., etc. As a result of 
the computation, the encrypted data C such as CO C1 C2 C3 C4 C5 .... etc. can be obtained. 

[0261] The secondary program furthermore applies a scramble 2 in bit units to the data C obtained as described 
above (step E16). The obtained data is defined as C\ and output as the final encrypted data (step E1 7). 

io [0262] in the above mentioned process, the unreadableness level of illegal deciphering can be raised by repeatedly 
performing the similar encrypting process with the C defined as M l . If the form of the function for generation of the mul- 
tidimensional vector r is changed, the unreadableness level can be furthermore raised. 
[0263] Described below is the operation of the decrypting process performed by the security device 12a. 
[0264] FIG. 28B is a flowchart of the operation of the decrypting process. 

15 [0265] The decrypting process can be performed simply by inversely performing the encrypting process. That is, 
assuming that the encrypted data is defined as C* (step F1 1), the secondary program of the security device 12a first 
applies an inverse scramble 2 which is inverse to the scramble 2 applied in the encrypting process in bit units onto the 
data C (step F12). Thus, the data C can be obtained as the data before applying the scramble 2 (step F13). 
[0266] Then, the secondary program decrypts the data C by performing a computing process such as C XOR r, etc. 

20 (step F14), thereby obtaining the data IvV before performing an encrypting process (step F15). 

[0267] The secondary program applies an inverse scramble 1 which is inverse to the scramble 1 applied in the 
encrypting process in bit units onto the data M' (step F12). Thus, the data can be obtained as the data before applying 
the scramble 1 , that is the plaintext data M can be obtained (step F1 7). 

[0268] If the process of repeating an encrypting process with the C defined as the M', changing the form of a func- 
25 tion for generation of a multidimensional vector r, etc. has been added in the encrypting process, then a decrypting 
process is performed corresponding to the added process. 

[0269] According to the present invention, a set P of parameters (constants) determining the function for a multidi- 
mensional vector r in the encrypting process performed using a multidimensional vector r is divided into two portions, 
and expressed as follows. 
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P = { Ps, Pp } 



where Ps is a private parameter, and corresponds to the encryption key (private key P1, P2) stored in the non- 
public portion of the database 41 , and Pp is a public parameter, and corresponds to the encryption key (public key P3, 
35 P4) stored in the public portion of the database 41 . Ps together with Ps is used in authenticating a user, and encrypting 
and decrypting data. 

[0270] According to the present embodiment, there are two Ps and two Pp, but it is obvious that the number of 
parameters is not limited to this application. 

[0271] Described below is the encryption system according to an embodiment of the present invention. 
40 [0272] Assume that the vector in the n(n>1 )-dimensional space is r, and the matrix sequentially generating new vec- 
tors rj (j = 0, 1 , 2, 3, ...) from the initial value r 0 is R. At this time, the vector rj is expressed by a nonlinear function of the 
following quation (1). 



r^KJPjr^r^c ( 1 ) 



where a is an appropriate constant coefficient, P is a set of constants used in the matrix, and an encryption key 
(private key P1, P2) stored in a non-public portion of the database 41 and an encryption key (public key P3, P4) stored 
so in a public portion of the database 41 are used, c is a constant vector for spatial translation of a vector. 

[0273] in equation (1) above, the coefficient a sets a condition for each vector to be in the closed space area of a 
multidimensional space when an appropriate restriction (for example, IRI < 1 ) is placed on the matrix R. The constant 
vector c guarantees that the vector rj will not converge into a trivial point (for example, an insignificant point having r = 
0) (c = 0 is obviously allowed). 

55 [0274] In the n-dimensional space, the vector r has n components (r = (x1 , x2, xn) ). In computation, a numeral 
data is generally represented by the precision of bit length (m) (for example, 8 bytes or 64 bytes) as defined by a com- 
piler. Therefore, if the vector r cannot be regenerated with data precision of n x m at a moment in the sequential vector 
generation method, the subsequent vector r cannot be correctly regenerated (or the matrix R is so defined). This holds 
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true with the Initial value r 0 of the vector r. That Is, only when the initial value r 0 can be regenerated with data precision 
of n x m, the subsequent vectors r 1( r 2l r 3 , ... can be guaranteed. 

[0275] In the encrypting process according to an embodiment of the present invention, one or more components, 
depending on the defined data length, of the vector r obtained in the equation (1) above are arranged, and are XORed 
(processed in an exclusive logical operation) on each bit with the character string (normally 8 bits per character) corre- 
sponding to the total bit length. This is referred to as the first encrypting process which has been described above by 
referring to FIG. 29. - 

[0276] The procedure can be performed in a duplex process as a countermeasure against decryption. In this case, 
the matrix R of the equation (1 ) above can be changed again to generate a new vector so that another encrypting proc- 
ess can be performed in the same method as the first encrypting process. This is referred to as the second encrypting 
process. 

[0277] In a practical example, n equals 2 (n = 2). First, R is defined as an operation in which r^ rotates by 9 round 
the normal set on the plane. The R is a matrix of 2 x 2, and can be represented as follows. 



15 



^sin8 cos8 



(2) 



20 

[0278] In this case, 9 is a kind of parameter. That is, the parameter is given as a function of r M> and can be repre- 
sented by the following equation. 

25 9(r)=flPS) (3) 



[0279] At this time, the transformation represented by the equation (2) above can be formally represented by the 
equation (1) above. In this case, the nonlinearity complicates the vector generating process. 
30 [0280] In the equation (3) above, P is defined as a set of constants used in the nonlinear function f, and the encryp- 
tion key (private key P1, P2) stored in the non-public portion of the database 41 and the encryption key (public key P3, 
P4) stored in the public portion of the database 41 are used. 

[0281] Thus, by using the vectors r sequentially generated in a multidimensional space in an encrypting process, 
the encrypting process can be performed independent of the precision or performance of a computer as compared with 
35 such an encrypting process as the RSA. 

[0282] In addition, an application can be easily added and amended. Furthermore, the present embodiment disa- 
bles a decrypting process to be successfully performed because of the constant coefficient a, the constant P (private 
and public keys), the constant vector c, and the initial value r 0 of the vector all of which should be completely obtained 
in a decrypting process. 

40 [0283] For example, assuming that the P contains five constants with a three-dimensional vector, the number of val- 
ues to be given as the initial value r 0 can be obtained by the following equation. 

1 (A) + 5(P) + 3 (r0) + 3(c)= 12 

45 [0284] If each of the values is a 8-digit real number, then all vectors can be regenerated at the probability of 10" 96 . 
The probability nearly equals 0, thereby hardly permitting successful decryption. 

[0285] Furthermore, in the method according to the present invention, it is necessary to explicitly indicate the func- 
tion f for determining 9 of the rotation matrix R (9), thereby furthermore complicating illegal decryption. 
[0286] Additionally, according to the above mentioned embodiment, a vector is generated using a function deter- 
so mined by defining a private key and a public key, but a vector can also be generated using a function determined by 
defining at least a public key. 

[0287] Furthermore, each constant (a, P, c) for determination of a function used to generate a vector is fixed when 
it is used, and the function is also fixed. However, a constant for determination of a function can be dependent on a 
password (an encryption key to be used as a part of a public key) as described below. 
55 [0288] It is possible to allow each constant for determination of a function to be dependent on a password in an 
encrypting process in which the function can be determined such that vectors sequentially generated in a closed area 
of the n(n>1)-dimensional space cannot match each other. The password is used as a part of a public key. The function 
should be fixed. That is, in the equation (1) above, 
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a -» a (K) 
P -> P (K) 

5 c -> c (K) 

where a is a constant coefficient, P is a set of constants (private and public keys)to be used in a matrix, c is a 
constant vector for spatial translation of a vector, and K is a password. 

[0289] The password K is input by a user, and is stored in the public portion of the database 41 . The secondary pro- 
w gram reads the password K from the database 41, and determines each constant (a, R c) of the equation (1) above 
based on the password K. Then, using the function based on the constants, a multidimensional vector is generated, and 
data is encrypted. 

[0290] Thus, by making each constant for determination of a function dependent on a password, the security of the 
encryption can be improved as compared with the case where each constant is fixed. 
15 [0291] It is also possible in an encrypting process where vectors defined in the closed area of a n(n>1 )-dimensional 
space are sequentially generated, and a function is set such that generated vectors cannot match each other, each con- 
stant for determination of the function can be dependent on a password and a real time. A password is used as a part 
of a public key. The function is fixed. That is, in the equation (1) above, 

20 a -» a (K,t) 

P P (K,t) 

c -» c (K,t) 

25 

where a is a constant coefficient, P is a set of constants (private and public keys)to be used in a matrix, c is a 
constant vector for spatial translation of a vector, K is a password, and t is a real time. 

[0292] The password K is input by a user, and is stored in the public portion of the database 41 . The secondary pro- 
gram reads the password K from the database 41, and determines each constant (a, P, c) of the equation (1) above 
30 based on the password K, and the real time t. Then, using the function based on the constants, a multidimensional vec- 
tor is generated, and data is encrypted. 

[0293] Thus, by making each constant for determination of a function dependent on a password, and additionally 
making each constant depending on a real time, each constant depends not only on a password, but also on a real time, 
thereby furthermore improving the security of the encryption. 
35 [0294] It is also possible in an encrypting process where vectors defined in the closed area of a n(n>1 )-dimensional 
space are sequentially generated, and a function is set such that generated vectors cannot match each other, each con- 
stant for determination of the function can be dependent on a password and a real time, and additionally the selection 
of function matrix can be dependent on a password . A password is used as a part of a public key. That is, in the equa- 
tion (1) above, 

40 

a -> a (K,t) 
P -> P (K,t) 

45 c -» c (K,t) 

and 

R K 

50 

where a is a constant coefficient, P is a set of constants (private and public keys)to be used in a matrix, c is a 
constant vector for concurrent movement with a vector, K is a password, t is a real time, and R is a matrix. 
[0295] The password K is input by a user, and is stored in the public portion of the database 41 . The secondary pro- 
gram reads the password K from the database 41, and determines each constant (a, R c) of the equation (1) above 
55 based on the password K, and the real time t. 

[0296] The secondary program selects the matrix R using these constants depending on the password K. Based 
on the selected matrix R, a multidimensional vector is generated, and data is encrypted. 

[0297] Thus, by making each constant for determination of a function dependent on a password, additionally mak- 
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ing each constant depending on a real time, and by selecting a matrix depending on a password, each constant 
depends not only on a password, but also on a real time, and the function using the constants are also selected depend- 
ing on a password, thereby furthermore improving the security of the encryption. 

[0298] It is also possible in an encrypting process where vector defined in the closed area of a n(n>l)-dimensional 
5 space are sequentially generated, and a function is set such that generated vectors cannot match each other, each con- 
stant for determination of the function can be dependent on a password and a real time. A password is used as a part 
of a public key. A function type is selected depending on a password and a real time. That is, in the equation (1) above, 

a -> a (K,t) 

10 

P -> P (K,t) 
c r-> c (K,t) 

15 and 

where a is a constant coefficient, P is a set of constants (private and public keys)to be used in a matrix, c is a 
20 constant vector for spatial translation of a vector, K is a password, t is a real time, and R is a matrix. 

[0299] The password K is input by a. user, and is stored in the public portion of the database 41 . The secondary pro- 
gram reads the password K from the database 41, and determines each constant (a, P, c) of the equation (1) above 
based on the password K, and the real time t. 

[0300] The secondary program selects the matrix R using these constants depending on the password K and the 
25 real time t. Based on the selected matrix R, a multidimensional vector is generated, and data is encrypted. 

[0301] Thus, by making each constant for determination of a function dependent on a password, additionally mak- 
ing each constant depending on a real time, and by selecting a matrix depending on a password, each constant 
depends not only on a password, but also on a real time, and the function using the constants are also selected depend- 
ing on a password and a real time, thereby furthermore improving the security of the encryption. 
30 [0302] It is also possible in an encrypting process where vectors defined in the closed area of a n(n>1 )-dimensional 
space are sequentially generated, and a new function is generated by linearly combining a plurality of functions such 
that the generated vectors cannot match each other, a constant for determination of the function can be dependent on 
a password arid a real time. A password is used as a part of a public key. A function type is selected depending on a 
password and a real time. Furthermore, a linear combination coefficient is dependent on a password and a real time. 
35 [0303] That is, assuming that a matrix generating a new vector rj (j = 0, 1, 2, 3, ...) from the initial value r 0 of the 
vector r in a n(n>1 )-dimensional space is R d (d = 0, 1 , 2, 3, ...), a new vector can be generated by the following equation, 

r rJl wjMi*Jfcffl^ ( 4 ) 

40 d 

[0304] In the equation (1) above, a is a constant coefficient, P is a set of constants (private and public keys)to be 
used in a matrix, c is a constant vector for spatial translation. of a vector, K is a password, t is a real time, R is a matrix, 
45 and W is a linear combination coefficient. 

[0305] The password K is input by a user, and is stored in the public portion of the database 41. The secondary pro- 
gram reads the password K from the database 41, and determines each constant (a, R c) of the equation (4) above 
based on the password K, and the real timet. The secondary program selects a matrix R obtained by linearly combining 
a plurality of matrices. 

so [0306] The linear combination coefficient W d used in the matrix R is determined by the password K and the real 
time t. Depending on the selected nonlinear function (4), a multidimensional vector is generated to encrypt data. 
[0307] Thus, using a new matrix obtained by linearly combining a plurality of matrices, a constant determining each 
matrix is made to be dependent on a password and a real time, matrix selection is made to be dependent on a password 
and a real time, and a linear combination coefficient is made to be dependent on a password and a real time, thereby 

55 furthermore improving the security of encrypted data. 

[0308] Furthermore, in an encrypting process in which the function can be .determined such that vectors sequen- 
tially generated in a closed area of the n(n^1 )-dimensional space cannot match each other, the type of function can be 
optionally defined by a user, and can be dynamically combined with others when it is applied to the main encryption 
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algorithm. 

[0309] That is, a user-defined function is compiled to a compiled basic encryption program to sequentially generat- 
ing multidimensional vectors, and the compilation result is used through dynamic linking when the entire program is 
executed. Thus, a malicious user such as a hacker, etc. can be rejected almost completely. 

5 [0310] As described above, vectors defined in a closed area of an n(n>1)-dimensional space can be sequentially 
generated, and encrypted data can be generated in a logical operation using plaintext data to be encrypted and the 
components of the vectors. Therefore, an encrypting process can be performed without high precision or performance 
required in the RSA method, etc. Furthermore the encrypting process can be performed with high reliability, and with an 
application easily added or amended. Thus, by applying various keys to a parameter set P in the equation (1), an 

w optional encrypted data communications system can be defined. Therefore, it is sufficient only to describe the encryp- 
tion/decryption algorithm using a common key (private key). Described below in detail is the encryption/decryption sys- 
tem according to an embodiment of the present invention. 

[031 1 ] FIG. 30 shows the principle of the encryption/decryption system according to an embodiment of the present- 
invention. 

15 [0312] In FIG. 30, the security devices in devices 1 1 0 and 1 12 respectively on the transmission and reception sides, 
that is, encryption/decryption engines store common keys (private keys). When encrypted data communications are 
established from one device 110 to another device 112, the primary program of the device 1 10 passes control to the 
secondary program of the security device of exclusive hardware. 

[0313] The security device for performing an encrypting process on the transmission side uses a nonlinear function 
20 variable according to a parameter corresponding to a common key. That is, vectors are generated chaotically and 
sequentially using a nonlinear function for translation and rotation of n-dimensional vectors defined in a closed area of 
an n-dimensional space, and encrypted data is generated by performing a logical operation in bit units between plain- 
text data and the generated vectors. 

[0314] The security device for performing a decrypting process on the reception side generates the vectors as on 
25 the transmission side, performs an inverse operation on the generated vectors, and easily decrypts the received 
encrypted data into the plaintext data. 

[0315] In the encryption/decryption system according to the present invention, a parameter for determination of a 
nonlinear function used to generate the above mentioned multidimensional vector is secret to the third party. Therefore, 
according to the present invention, the generation of the n-dimensional vector is determined by defining at least a com- 

30 mon key (private key), thereby sequentially generating the n-dimensional vectors using a nonlinear function capable of 
generating chaos such that each of the generated n-dimensional vectors cannot match each other. 
[0316] That is, the present invention comprises: a vector generation unit for generating a vector rj using each com- 
ponent of a vector defined in a closed area of the n(n>1)-dimensional space, and an angle & n determined by a param- 
eter set P in such a way that each of the vectors sequentially generated using a non-linear function (corresponding to 

35 equation (1 )) containing at least the n-dimensional rotation matrix R n (ft n ) (corresponding to R in equation (1 )) for rota- 
tion of the vector cannot match each other in the n-dimensional space; in an encrypting process, a binary operation unit 
for generating encrypted data using a binary operation of plaintext data and the component of the vector generated by 
the vector generation unit; and, in a decrypting process, an inverse binary operation unit for generating the plaintext 
data in an inverse binary operation corresponding to an inverse operation of the binary operation using the vector rj gen- 

40 erated by the vector generation unit and the encrypted data. 

[0317] Especially, the present invention comprises: a rotation matrix generation unit for generating the n-dimen- 
sional rotation matrix R n (H n ) for rotation of the vector using the (n-l)-dimensional rotation matrix R n .-, (n n .-|) as an (n- 
1)-dimensional small matrix by using each component of a vector defined in a closed area of the n(n>1)-dimensional 
space, and an angle Cl n determined by a parameter set P; a vector generation unit for generating vectors ^ such that 

45 each of the vectors rj (j>0) sequentially generated using a nonlinear function containing at least the rotation matrix R n 
(ft n ) cannot match each other in the n-dimensional space; and a binary operation unit for generating encrypted data 
using a binary operation of plaintext data and the component of the vector generated by the vector generation unit. 
[0318] The encryption/decryption system according to the present invention relates to an encrypting/decrypting 
process performed when a transmitter and receiver of data establish data communications using a common security 

so device (encryption device). 

[0319] According to the present encryption system, a data transmitter (encryption side) generates ciphertext by 
performing a predetermined logical operation (normally, an exclusive logical sum operation) in bit units using a key 
sequence with which a plaintext data message has been generated based on a predetermined common key. A data 
receiver (decryption side) obtains an original plaintext by performing a predetermined logical operation (same operation 

55 as on the encryption side) in bit units using the same key sequence as on the encryption side based on a predetermined 
common key. 

[0320] In this encryption system, a multidimensional vector generation device is used as a random number gener- 
ation device for generating the above mentioned key sequence. In this case, various parameters and initial state for 
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determination of a vector generation function of the multidimensional vector generation device are provided as common 
keys 

[0321] FIG. 30 shows an example of the configuration of the encryption system to which the present invention is 
applied. The encryption device 110 comprises a multidimensional vector generation function unit 101 and a logical 
5 operation process function unit 102. 

[0322] Similarly, the decryption device 1 12 comprises a multidimensional vector generation function unit 121 and a 
logical operation process function unit 122. 

[0323] In FIG. 30, between the encryption device 1 10 on the encryption side and the decryption device 1 1 2 on the 
decryption side, for example, a common key is distributed using an IC card, etc. in a security state, and the common 
w key is shared. The encryption device 110 on the encryption side generates a multidimensional vector based on the 
function determined by a predetermined common key, obtains an exclusive logical sum using a plaintext and the com- 
ponent data of the vector as a random number sequence to transform the plaintext message into ciphertext, and trans- 
mits the ciphertext to the decryption device 112. 

[0324] The decryption device 1 12 which has received the ciphertext generates a vector from the ciphertext through 
75 the logical operation process function unit 122 having the same function as the multidimensional vector generation 
function unit 101 provided in the encryption device 110, obtains an exclusive logical sum of the vector and the gener- 
ated random number sequence, and restores the original plaintext message. 

[0325] In addition, since the processes performed by the encryption device 1 1 0 and the decryption device. 1 1 2 are 
practically the same as each other, the processing devices such as a computer, etc. can have the functions of both 
20 encryption device 1 1 0 and decryption device 1 1 2. 

[0326] FIG. 31 shows the configuration of the encrypting and decrypting programs of the encryption device 1 1 0 and 
the decryption device 1 12. 

[0327] A primary program 131 manages input and output of data, determines whether or not the data is to be 
encrypted or decrypted, and manages the entire encrypting and decrypting processes. A parameter list generation 
25 library 132 stores a common key distributed using an ICcard, etc. An encryption/decryption engine 133 receives a com- 
mon key as a parameter from the parameter list generation library 132, generates a rotation vector based on a matrix 
determined by a multidimensional vector rotation function generation library 134, and encrypts plaintext or decrypts 
ciphertext using a component of the vector. 

[0328] Described below in detail is the generation of a multidimensional vector. 
30 [0329] Considering the rotation for the vector r^ defined in a multidimensional (n-dimensional) space, a general- 
ized rotation angle is represented by ft n , and the operation corresponding to the rotation is represented by R n (I2 n ) as 
a matrix of n x n. That is, R n (fi n ) acts on r^, and rotates the vector. The equation (1 ) is rewritten into the following equa- 
tion (5), that is, a general equation of a rotation vector, thereby defining a new vector rj. 

rj-«RJiQJr H +c ....(5) 

where a is a constant satisfying lai < 1. c is a n-dimensional constant vector. The equation above indicates that 
a new vector rj is generated from the vector r^ through rotation and spatial translation. 
40 [0330] According to the present invention, nonlinear sequence can be generated such that the sequence of gener- 
ated r vectors cannot be chaotic, that is, the original sequence in a closed space by setting the rotation angle £l u 
dependent on r. That is, ft n can be formally represented by a function of a parameter P and a vector r as shown in the 
following equation (6) (corresponding to equation (3)). 

Q^Q^-i) (6) 



where P indicates a set of any number of parameters used in the function for ft n . 

50 

F-IpJi-U.Vt.} ....(7) 



55 [0331] For example, in a two-dimensional vector, a two-dimensional rotation angle £l n is represented by the com 
ponents x and y of the two-dimensional vector r = (x, y) as follows. 
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w 



where the parameters p-,, p 2> and p 3 are optionally given. 
[0332] The practical operations performed when the above mentioned two-dimensional vector is processed by the 
encryption devices 110 and 112 used in the system shown in FIG. 30 is described by referring to the flowchart shown 
in FIG. 32. 

[0333] The two-dimensional vector r is represented by r = (x, y) using the components x and y of an orthogonal 
coordinate system. The rotating operation of the angle Q. n = e for the vector is represented by a two-dimensional 
matrix as follows. 



15 



cos8 -sind^ 
^sin6 cosB ; 



(8) 



[0334] Assuming that the function for a rotating operation of a vector using a function 6 = p 1 x + p 2 y + p 3 and an 
20 obtained rotation angle is stored in the multidimensional vector rotation function generation library 134 (refer to FIG. 
31), and the initial value x 0 , y G of r 0 and the value of P, that is, p 1 = 1, p 2 = 1, p 3 = 1, are stored in the parameter list 
generation library 1 32 in advance (refer to FIG. 31) as common keys, an example is described below by referring to FIG. 
32. 

[0335] To generate a two-dimensional vector, the initial value r 0 (including component data x Q) y 0 ) and the parame- 
25 ter p 1f p 2 , p 3 of the function defining a rotation angle 0 are read from the parameter list generation library 132 (refer to 
FIG. 31), and stored in the work area of the memory of the devices (110, 112) (step 21). Based on the value x 0 , y 0 of 
r 0 , the angle G = p 1 *.x j _ 1 + p 2 * y 10 + p 3 (8 = p 1 *x Q * p 2 * y 0 + p 3 ) is computed, and the computation result is 
stored as the value 8 (step 22). 

[0336] Then, to determine the value of the element od the rotation matrix R, cos G and sin 8 are obtained, and are 
30 stored as cos_t and sin J respectively (step 23). 

[0337] Next, a new vector rj is computed by the equation r^ = a R 2 (£2 2 ) r^ + c (step 24). That is, the following 
computation is performed to generate a new vector rj (component Xj, Vj). 

x |=a*("cos J"*x j_ 1 - M sin_t M *y j _ 1 )+c_x; 

35 

y j =a*( M sin_r*x j . 1 V , cos^*y j . 1 )+c^y; 

[0338] Then, the subsequent rotation angle G is obtained based on the components of the vector rj (step 22), and 

the above mentioned steps 23 and 24 are repeated, thereby sequentially generating vectors. 
40 [0339] In the encryption/decryption system according to the present invention, since a trigonometric function is 

introduced using the rotation, and a product of the trigonometric functions are used, the nonlinearity is improved more 

than a normal chaos function, thereby furthermore complicating the decryption. 

[0340] Described below is the process of encrypting data by generating a multidimensional vector. 

[0341] As shown in FIG. 33, an n-dimensionai rotation matrix R n (£l n ) is first generated in the encrypting process 
45 (step 41). The method of generating the matrix is described later in detail. 

[0342] Then, a vector is generated using a nonlinear function containing the n-dimensional rotation matrix R n (n n ) 

(step 42). The vectors rj are sequentially generated such that they cannot match each other in the n-dimensional space. 

A binary operation is performed using the plaintext data and the components of the vectors generated by the vector 

generation unit, thereby generating encrypted data (step 43). Then, the encrypted data is transmitted to the reception 
so device of the receiver (step 44). 

[0343] Described below is a binary operation in step 43. 

[0344] Assume that each of the sequentially generated vectors r is represented by N bits. For example, when a two- 
dimensional vector is expressed by components x and y, each of the data values of the x and y is represented by 16 
bits, the data of x and y is arranged in N bits (for example, 32 bits). 
55 [0345] The vector string rj (j = 1 , 2, 3, ...) obtained in the procedure and the data string Mj (j = 1 , 2, 3, ...) represented 
in N bit units by dividing plaintext data M to be encrypted are used as binary operators to obtain an exclusive logical 
sum (XOR), and the result Cj (j = 1, 2, 3, ...) is obtained as encrypted data. That is, the following computation is per- 
formed. 
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CprjOpMj (9) 

[0346] The above mentioned binary operator op is normally an exclusive logical sum for each. However, since an 
exclusive logical sum is reversible; it is not desired to use it as an operator for encryption. To compensate for this 
demerit of the exclusive logical sum," it is recommended to introduce an operation of scrambling an exclusive logical 
sum with the bits of Mj as binary operators. In this case, the following equation exists. 

op=XOR*S (10) 

where S indicates a scrambling operation for scrambling the bits of Mj, and XOR • indicates the definition as an 
operation of the subsequent exclusive logical sum. Then, encrypted data is obtained by Cj = rj op M j . 
[0347] The decrypting process is described below by referring to FIG. 33. 

[0348] In the decrypting process, as in the encrypting process, a rotation matrix R n (Q. n ) for rotation of a vector 
defined in a closed area of an ft n dimensional process is first generated (step 45). Vectors ^ are sequentially generated 
such that each of the vectors generated using a nonlinear function containing the rotation matrix R n (Q. n ) matches each 
other in the n-dimensional space (step 46). 

[0349] Then, decrypted data is generated by performing an inverse binary operation corresponding to the inverse 
operation of the binary operation performed in step 43 using the received encrypted data and the components of the 
vector ^ generated in the vector generating step 46 (steps 47 and 48). 

[0350] In this decrypting process, the received encrypted character strings Cj (j = 1,2, 3, ...) are sequentially 
retrieved to perform a decrypting operation while generating a vector corresponding to C y This process is described 
below by referring to the flowchart shown in FIG. 34. 

[0351] The decrypting process starts with j = 0 (step 51 ), the encrypted data Cj is retrieved (step 52), an n-dimen- 
sional rotation matrix R„ (Q. n ) is generated (step 53), and a vector rj is generated (step 54). Then, an. operation is per- 
formed by Mj = rj op" Cj to yield decrypted data (plaintext Mj) (step 55). If the encrypted data C has not been 
completely processed, then the next encrypted data is retrieved with j = j + 1 (steps 56 and 57) to generate R n (ft n ), and 
repeat the process of generating the subsequent vector ty The process of repeating steps 52 through 56 is performed 
until the encrypted data Cj is completely processed. 

[0352] Then, the above mentioned first encrypting and decrypting embodiment is extended into a more practical 
procedure of encrypting data, and is described below as the second embodiment. 
[0353] First, the following equation is performed. 

C 0 =r 0 opM 0 (11) 

[0354] Then, a check sum Z 0 for C 0 is computed. Furthermore, the equation (9) above is rewritten into the following 
equation for j where j > 1 . 

C | «(r j bpE H )opM J (12) 

[0355] The check sum is represented by, for example, the number of is contained in the computed value of C as a 
binary indicating the number of bits equal to the number of bits of rj. In the equation, L Q is obtained from the value of 
encrypted data C^ E 1 is obtained from C lt and is obtained from C 2 in the following computation order. 

plaintext Mq M x M 2 M 3 



(keystring) r 0 r x r 2 r 3 



ciphertext C 0 




EP 1 089 194 A2 



[0356] That is, the transmitter obtains C 0 by C 0 = r 0 op M 0 for the encrypted data C G for M 0 , thereby obtaining the 
check sum L 0 of C Q . For the encrypted data C-| for M 1( C-| is computed by C-j - op L Q ) op M 1f thereby obtaining the 
check sum It of C-|. The subsequent data Mj is encrypted by Cj = (rj op E^) op M 1 with Tj.-j obtained by the previous 
data taken into account rj and are computed with the same data width (number of bits). 
5 [0357] The receiver for decrypting the data receives C 0 , C-j, C 2 , and computes M 0 = r 0 op' 1 C 0 , and has to 
obtain the check sum Iq from tne received C 0 . Using this, M-j is computed for C-j by the following equation. 

M^r, op£ 0 )op' 1 C 1 (13) 

io [0358] The subsequent data Mj is decrypted by the following equation using the check sum obtained for the 
received Oj_ 1 . 

Mj^rjopL^Jop^Cj (14) 

15 [0359] The encrypted data obtained in the above mentioned procedure has been processed by different keys, it is 
assumed that the data is durable against an attempt to decrypt the data using an assumed key. 
[0360] If the number of dimensions becomes large in a multidimensional space rotation system, the number of ele- 
ments of a rotation matrix R also becomes large, thereby causing the problem that an operation load is large in an 
encrypting/decrypting process. To solve the problem, a method of computing a multidimensional space rotation matrix 

20 in an encryption system using a multidimensional space rotation system from a pseudo space rotation matrix having a 
smaller number of dimensions, 

[0361] Described below is deriving a rotation matrix R n (ft n ) for the multidimensional space rotation. 
[0362] The first method is to generate an n-dimensional rotation matrix R n (ft n ) from the (n-1 )-dimensional rotation 
matrix R n .-| (ft n .i)- Since a method for a multidimensional space rotation is complicated, a two-dimensional space rota- 
25 tion is described below for simple explanation. A two-dimensional vector r is represented by the following equation using 
the components x and y of an orthogonal coordinate system. 

r=(x,y) 

30 [0363] The rotating operation of the angle Q. n = 0 for the vector is represented as a two-dimensional matrix as fol- 
lows. 
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40 



45 



55 



*2<8)= 



cosd -sine") 
^sind cos 6 J 



(16) 



where the subscript of 2 on the left side indicates that the operation is defined in a two-dimensional space. The 
operation satisfies the conditions of the following equations. 

1*2(6)1=1 (17) 

j^-e^er 1 ua) 



[0364] The equation (1 7) guarantees that the size of the vector of the rotation in the rotating operation remains con- 
stant, and the equation (18) indicates that there is an rotating operation to restore the vector of the rotation to the orig- 
50 inal state. 

[0365] For extension to a three-dimensional rotation, the description on the right side of the equation (1 6) is simpli- 
fied and formally represented as follows. 



/ 



tt ll *12 



\*21 tt 22, 



\ 



(19) 
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where a,, = a 22 = cos6 and <x 21 = -a 12 = sine . In the case of a three-dimensional rotation, it is reasonable to start 
with the rotation using each of the three orthogonal axes as a rotation axis. It can be represented by any of the following 
three matrices. 



^1 0 0\ 



0 o n a 12 
0 a 21 a nJ 



(20-1) 











0 1 


0 




k «21 0 


a 22; 



(20-2) 



a 21 0 



0 I) 



(20-3) 



[0366] Note that they can be obtained by adding 1 as a diagonal element in the two-dimensional space rotating 
operation provided by the equation (19). In addition, it is obvious that the rotation of the three-dimensional vector in the 
operation is shown in FIGS. 37 A through 37C. 

[0367] The above mentioned matrices (20-1), (20-2), and (20-3) are three-dimensional matrices including two- 
dimensional matrices indicating the rotating operation in a two-dimensional space. A generalized three-dimensional 
rotation is obtained by retrieving three matrices (which can be duplicate) from the above mentioned matrices, and 
sequentially multiplying one by each other. A generalized rotation angle in a three-dimensional space can be repre- 
sented by the following equation. 



where the rotating operation R 3 (0 3 ) for a three-dimensional vector is represented by the following equation. 

R3(^3)= R 3,i( e i) R 3,j( e ]) R 3,k(«k) ( 21 ) 

where i, j, and k can be any of 1, 2, and 3, and can be normally duplicate on condition that the operation does 
not continue on the same axis. For example, i, j, and k can be 1 , 2, and 1 . 

[0368] If an 'inverse rotation angle' is represented by -H 3 = (-9 V -6 2 , -6 3 ) , then the inverse rotating operation of 
the rotating operation represented by the equation (21) can be represented by the following equation with the signifi- 
cance taken into account. 

R 3<-ft 3)= R 3.k(- 0 k) R 3j(- 0 j) R 3.i(" e i) ( 22 ) 

[0369] The rotating operation defined by the equation (21) normally takes the following form. 



29 



EP 1 089 194 A2 







[P.. 


Pu 


P 13 ) 
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Pa 


P* 


P* 








Pa 


P33, 



(23) 



70 



where matrix element is uniquely determined from the equations (16), (19), (20-1) through (20-3), and (21). For R 3 (£2 3 ), 
the following two features are satisfied. 



15 



l/Wl-l (24) 

R^-Q^RAQJ- 1 (25) 



20 [0370] Described below is the generation of a vector in an actual three-dimensional space. 

[0371] In a three-dimensional space, a vector rj can be generated by storing the order of multiplication of rotation 
matrices. If a rotation angle is represented by = x , = y , 2^ = z for simple explanation of three-dimensional 
rotation, the following equations exist. 



25 



30 



*l*Pll X +Pt?+P\3l+PX4 

*i s Pu*+P2y+Pxi+Pu 



[0372] The three-dimensional rotating operation R 3 (Q 3 ) is represented by the multiplication of the following three 
rotation matrixes as shown by the equation (21) above in the method described later, that is, 



35 



where integers i, j, and k are any of 1 , 2, and 3, and normally can be duplicate. That is, there are 3 x 2 x 2 (= 1 2) 
methods of multiplication of R 31 (0^, R 3 2 (©2)' ^3,3 ( e 3)> and tne order °f tne multiplication depends on the parameter 
40 of the transmitter. In this encrypting process, the flow of the vector rj generating process in the three-dimensional space 
is shown in FIG. 35. 

[0373] That is, R 3 (H 3 ) is prepared based on the order of multiplication specified by the parameter of the transmitter 
(step 61 ). Then, the initial value r 0 of the vector, and the parameters p 1 ■) through p^ of the function for computation of 
the rotation angles 8-, , ti 2 , and 63 are stored (step 62). Then, using the components (x, y, z) of r 0 (r^), the following oper- 
45 ations are performed (step 63). 

*rPii*+Pi&+Pxjz+Pu 
50 ^Pn x +P3#+P%£+P* 



55 [0374] Then, R 3 (£1 3 ) is computed, and a new vector r } is generated by the equation (5). At this time, the order of 
multiplication is specified depending on the parameter of a transmitter as described above, for example, on the 
employee number, etc. of the transmitter. As for the rotation matrix R 3 (Cl 3 ), the transmitter (and the receiver) does not 
compute the rotation matrix R 3 (£ 3 ) based on the order specified each time data is transmitted, but 12 functions are 
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stored in advance, and any of the functions can be specified. 

[0375] Described below is the method of applying the procedure of extending the above mentioned two-dimen- 
sional rotation to the three-dimensional rotation, and the three-dimensional rotation to the four-dimensional rotation. 
[0376] In this case, four two-dimensional matrices, that is, R 4j (ft 3 ) (i = 1, 2, 3, 4.) , are obtained by adding 1 to 
the equation (23) as a diagonal element. That is, the following equations are obtained. 
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0 




,P 3 1 P» 0 


^33, 



(26-1) 



(26-2) 



(26-3) 
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(26-4) 



[0377] Furthermore, the rotating operation for the rotation angle £2 4 in a four-dimensional space is defined by the 
following equation. 

^(Q4) a V°3^4/o 3 ,PV Q 3>)V Q 3; (27) 



[0378] n 3 J (i = 1 , 2, 3, 4) is another three-dimensional rotation angle ftg different from the angle defined above. 
[0379] By repeating the definition, the rotating operation R n (£2 n ) for the rotation angle H n in the n-dimensional 
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space can be normally represented by the following equation. 



M 



[0380] It is easily confirmed that the obtained rotating operation satisfies the features of the equations (29) and (30) 
w by taking the order of the product on the right side of the equation (28) into account. 

I*»(0„)N (29) 



[0381] The n-dimensional rotation matrix R n (ft n ) can be generated by performing the processes according to the 
20 flowchart in FIG. 36. 

[0382] That is, k = 2 is first set (step 30), and the 2-dimensional rotation matrix R 2 (n 2 ) is generated (step 31 ). Then, 
it is determined whether or not the value of k is smaller than n (step 32). If yes, the value of k is incremented by 1 (step 
33), and the k-dimensional rotation matrix R k (£2 k ) is generated such that it can include the (k-l)-dimensional rotation 
matrix R k .-, (ft^) as a (k-l)-dimensional small matrix (step 34). 
25 [0383] Then, a product of the k generated k-dimensional rotation matrix R^ (fy), R k j2( e j2)» — ■ R kjk( e jk) is obtained 
to obtain a rotation matrix R k (ft k ) (step 35). Then, by repeating the steps 34 and 35 from k = 2 to k = n , the n-dimen- 
sional rotation matrix R n (ft n ) can be generated. 

[0384] In the second method described below, a pseudo- rotation matrix is obtained by arranging a plurality of rota- 
tion matrices of smaller number of dimensions as diagonal blocks with remaining elements set to zero. The second 
30 method is described below in detail. For example, the elements of the rotation matrix R in a six-dimensional space are 
as shown by the following equation (37) indicating a large volume of computation. 
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(37) 



[0385] Then, the rotation matrix R is computed by replacing it with a pseudo-rotation matrix. The pseudo-rotation 
matrix Q is obtained by arranging a plurality of spatial rotation matrices of smaller number of dimensions as diagonal 
so blocks with remaining elements set to zero. For example, in a six-dimensional space, a pseudo-rotation matrix Q as rep- 
resented by the following equation (38) is used. 
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(38) 
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where A and B are three-dimensional rotation matrices. 
[0386] When the elements of the pseudo-rotation matrix Q are compared with the elements of the rotation matrix 
R, the Q contains more zero elements, thereby requiring smaller volume of computation. In addition, its encrypting func- 
tion sufficiently works. Normally, a multidimensional spatial rotation matrix Q can be set as represented by the following 
equation (39). 



'A x 0 - 0) 
0 Aj 0 



0 0 



(39) 
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where A1, A2, .... Ai are multidimensional spatial rotation matrices. 
[0387] Thus, the volume of computation can be considerably reduced and an encrypting process or a decrypting 
process can be quickly performed by replacing a rotation matrix in a multidimensional spatial rotation system with a 
pseudo-rotation matrix obtained by arranging a plurality of rotation matrices with smaller number of dimensions set as 
diagonal blocks with remaining elements set to zero. 

[0388] In a further method, the value of P obtained in a similar transformation represented by the following equation 
(40) can be used as a new pseudo-spatial rotation matrix. 



40 



P=S*Q*S 



(40) 



[0389] In the equation (40), q is the above mentioned pseudo-rotation matrix, and S is a permutation matrix. As 
shown in the following equation (41), it is a square matrix with each row and column containing a 1 as an element. 
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[0390] For example, when the pseudo-rotation matrix Q is. rep resented by the equation (38) above (in a six-dimen- 
sional space), the pseudo-spatial rotation matrix P is represented by the following equation (42). 
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[0391] A practical example is represented by the following equation (43). 
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(43) 
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[0392] Thus, by replacing a rotation matrix in a multidimensional spatial rotation system with a pseudo-rotation 
matrix obtained by combining permutation matrices having a plurality of rotation matrices with smaller number of dimen- 
sions set as diagonal blocks with remaining elements set to zero, the computation process can be complicated, thereby 

35 making furthermore difficult decryption. 

[0393] The feature of the present encryption system is that with an increasing number of spatial dimensions, 
encrypted data can be decrypted with the more difficulty, that a software process can be quickly performed, thereby 
requiring no special hardware for encrypting arid decrypting processes, and that the privilege (authority) for hierarchy 
and decryption for personal use, group use, etc. can be minutely prescribed. 

40 [0394] Therefore, the application of the present invention includes management of personal and private data, man- 
agement of confidential mail, management of broadcast communications data, etc., and various other fields. In addi- 
tion, since the present invention can improve the security of the data in the server of an Internet environment, a system 
administrator and an Internet service provider can make the most of the present invention. 

[0395] Furthermore, according to the present invention, the parameter P and the constant vector c can be time 
45 dependent, and the P can be represented by the following equation. 



P(t)={p ,(t)il=1A3 } 



(31) 



where the c can be set to c(t). Additionally, the initial value r 0 (t) can also be time dependent. 

so [0396] In an actual encrypting process, the initial value r 0 of the vector is substituted for r^ (j = 1 ) on the right side. 
The obtained new vector r t is substituted for the r^ on the right side of the equation (5). By repeating the process, new 
vectors are sequentially generated. The time dependence represented by the equation (31) indicates that the same 
encrypted data cannot be obtained even if the same original data is encrypted at different times. 
[0397] If a parameter set and functions are carefully set in the equation (6), the vectors rj sequentially generated by 

55 the equation (5) can be prevented from converging into a balanced solution. 

[0398] It is said to be difficult to decrypt data encrypted in a chaos or random system if the key is secret. The 
encryption system according to the present invention inherits the above mentioned features. The feature of the present 
encryption system is, in addition to the desired features of the above mentioned conventional encryption system, to be 
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able to freely amend (customize) the encrypting procedure for the following grounds. 

1 . The representation of the rotation matrix R n (£l n ) according to the equation can be optionally determined. 

2. The function ft n (P, r^) on the right side of the equation (6) and the parameter P can be optionally set on condi- 
5 tion that the function value is not dispersed. 

3. Various 'initial values' can be optionally set. 

4. The vector rj obtained by optionally repeating the operation of the equation (5) starting with the initial value of an 
optional vector can be set again as an initial value of the vector used in an encrypting/decrypting process. 

5. When an operation with a floating point is performed, an operation result depends on a numeral operation proc- 
w essor and a compiler. Therefore, a decrypting process requires a decryption environment which is the same as an 

encryption environment. 

[0399] The procedure according to the present embodiment can be performed using integers. In this case, a multi- 
dimensional space can be sectioned by a grid, and a vector indicated by coordinates of a discrete grid point changes 

15 by rotation and spatial translation. 

[0400] The encrypting procedure in the multidimensional rotation vector system of the present encryption system 
includes a number of options. For example, a multidimensional vector rotating operation cannot be simply set, and a 
person trying to decrypt encrypted data (system) has to regenerate the system of a rotation generation unit, identify the 
function system prescribing a generalized multidimensional vector rotation angle, and correctly detect the parameter 

20 (key). 

[0401] According to the present invention, there is the lowest possibility that the vector rj can be regenerated 
because there is a very large number of ways of setting nonlinear functions for obtaining a rotation angle ft n from the 
state of a rotation vector r^ with a parameter P as a key, and determining the configuration of rotation matrices. 
[0402] Since the present encryption system generates an n-dimensional rotation matrix from a rotation matrix hav- 

25 ing a dimension smaller than the n-dimensional rotation matrix, it applies to a sequential process. Furthermore, since 
a nonlinear function for sequential or chaotic generation of vectors through spatial translation and rotation of a n-dimen- 
sional vector defined in a closed area of an n-dimensional space using the n-dimensional rotation matrix is defined by 
a real number according to the present invention, an encrypting/decrypting process can be performed for optionally and 
digitally represented data. Therefore, the present invention can be utilized in various applications. 

30 [0403] Described below is the application of the encryption/decryption system of the present invention to the above 
mentioned embodiments of the database management apparatus. 

[0404] According to the present invention, a multidimensional spatial rotation system (multidimensional spatial vec- 
tor system) is used as an encryption algorithm of a database. In the multidimensional spatial rotation system, sequential 
vectors are generated in a multidimensional space based on a predetermined function, and the components of the vec- 

35 tors are key streams for encryption. In the multidimensional spatial rotation system, computation can be performed by 
an information processing device even with low performance. Therefore, the system can be applied to a portable termi- 
nal. That is, in an environment in which a database according to the present invention is externally accessed, the 
encryption system is desired to process data with the security of the data successfully guaranteed. At this time, to 
encrypt the database according to the present embodiment, column keys are different from row keys. Therefore, the 

40 parameter of the predetermined function is determined using at least one of the column keys and the row keys, thereby 
generating a key stream for encryption. Thus, a key stream unique to each row and column can be generated. 
[0405] As described above in detail, according to the database management apparatus of the present invention, 
data of column items used in a retrieving process is encrypted using a column key common among the column items 
while data of other column items is encrypted using a row key unique to each row when a database is encrypted. There- 

45 fore, the security can be improved by using different keys for respective rows. When a retrieving process is performed, 
the data input for retrieval is encrypted using a column key common among predetermined column items, and the 
encrypted retrieving data is compared with the encrypted database, thereby realizing a high-speed retrieving process. 

Claims 

50 

1 . A database management apparatus, comprising: 

encryption key specification means (424) for specifying whether a key for encryption of data of a column item 
of a database using a column key common among column items or a row key specific to each row; 
55 encryption means (427) for encrypting each column item of the database using a key specified by said encryp- 

tion key specification means; and 

a storage means (41 6d) for storing in memory the database encrypted by said encryption means. 
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2. The apparatus according to claim 1 , further comprising 

database search means for encrypting data input for retrieval using a row key common among predetermined 
column items when column items encrypted using the common row key is to be retrieved, comparing the 
5 encrypted retrieving data with each item data of the encrypted database stored in the memory, and performing 

retrieving process. 

3. The apparatus according to claim 1 , wherein 

w said encryption means (427) encrypts data of a predetermined column item using a combination of a row key 

specific for each row and a column key common among corresponding column items. 

4. The apparatus according to claim 1 , wherein 

15 said encryption means (427) generates sequential vectors in a muitidimensional space based on a predeter- 

mined function, and encrypting a database using the row key and the column key as a constant of the function 
in an encryption system using elements of the vectors as a key stream of encryption. 

5. A database system which has a first information terminal containing a database, and a second information terminal 
20 requesting the first information terminal to search the database, and connects the first and second information ter- 
minals through a network, wherein: 

on the first information terminal side, data of a first type of column item of the database is encrypted using a 
column key common among the column items, and data of a second type of column item is encrypted using a 
25 row key using a column key specific to each row; 

when the second information terminal requests searching the database for the first type of column item, retriev- 
ing data input is encrypted using a column key common among the column items, and the encrypted retrieving 
data is transmitted to the first information terminal through the network; and 

on the first information terminal side, the encrypted database is searched using the retrieving data, and the 
30 encrypted data obtained as a search result is returned to the second information terminal through the network. 

6. The database management apparatus which manages a database in which data is encrypted using a column key 
common among predetermined column items, comprising: 

35 encryption means (427) for encrypting input retrieving data using the column key when data is retrieved from 

predetermined column items; and 

retrieval means for retrieving data by comparing the encrypted retrieving data with each item data of the 
encrypted database.- 

40 7. The apparatus according to claim 1 , comprising: 

plaintext data obtaining means for obtaining plaintext data to be encrypted; 

vector generation means sequentially generating vectors defined in a closed area of an n(n£1)-dimensional 
space using a function determined using at least the column key or a row key; and 
45 logical operation means for performing a logical operation in bits units using the plaintext data obtained by said 

plaintext data obtaining means and elements of the vectors generated by said vector generation means, and 
generating encrypted data. 

8. A computer-readable storage medium storing a program used to direct a computer to perform the process, com- 
50 prising: 

encrypting data of a first type of column item of a database using a column key common among the column 
items, and encrypting data of a second type of column item using a row key specific for each row; and 
searching encrypted database obtained as a result of the encrypting function. 

55 

9. A computer-readable storage medium storing a program used to direct a computer to perform the process, com- 
prising: 
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encrypting input retrieving data using the column key when data is retrieved from predetermined column items; 
and 

retrieving data by comparing the encrypted retrieving data with each item data of the encrypted database. 

10. A database management apparatus, comprising: 

first encryption means for encrypting data of a first type of column item of a database using a column key com- 
mon among the column items, and encrypting data of a second type of column item using a row key specific 
for each row; 

second encryption means for encrypting the row key used in encrypting the data of the second type of column 
item of the database by said first encryption means using another key common among rows; and 
storage means for storing in memory the database encrypted by said first encryption means with the row key 
encrypted by said second encryption means. 

11. The apparatus according to claim 10, wherein 

said row key is generated by a row number assigned to each row of said database and a random number. 

12. An encryption apparatus according to claim 10, comprising: 

vector generation means for sequentially generating vectors defined in a closed area of an n(n>1 )-dimensional 
space using a function determined using each of the keys in the database management apparatus according 
to claim 10; and 

logical operation means for performing a logical operation in bits meanss using the plaintext data obtained by 
said plaintext data obtaining means and components of the vectors generated by said vector generation 
means, and generating encrypted data. 

13. A database system having a first terminal unit for managing a database, and a second terminal unit for searching 
the database independent of the first terminal unit, wherein: 

on the first terminal unit side, the database is encrypted and the encrypted database is stored in a portable 
storage medium, and the storage medium is distributed; and 

on the second terminal unit side, the encrypted database is searched using the distributed storage medium, 
and data obtained as a search result is decrypted and displayed. 

14. The system according to claim 12, wherein: 

said first terminal unit encrypts data of a first type of column item of the database using a column key common 
among the column items, encrypts data of a second type of column item using a row key using a column key 
specific to each row, and encrypts the row key using another key common among rows; and 
said encrypted database is stored with the row key after the encryption in a storage medium. 

15. The system according to claim 12, wherein 

said storage medium stores the encrypted database in said first terminal unit, and a predetermined program 
for searching encrypted database. 

16. A computer-readable storage medium storing a program used to direct a computer to perform the process, com- 
prising: 

encrypting data of a first type of column item of a database using a column key common among the column 
items, and encrypting data of a second type of column item using a row key specific for each row; and 
encrypting a row key used in encrypting data of a second type of column item of the database by said first 
encrypting function using another key common among rows. 

17. An encryption system, comprising: 

rotation matrix generation means for generating an n-dimensional rotation matrix R n (& n ) for rotating a vector 
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defined in a closed area of an n(n>1)-dimensional space using each component of the vector and an angle a n 
depending on a parameter set P such that an (n-l)-dimensional rotation matrix R M (ft n _i) can be contained 
as an (n-l)-dimensional small matrix; 

vector generation means for generating a vector rj such that vectors q G^O) sequentially generated using a non- 
linear function containing at least the rotation matrix R n (ft n ) cannot match each other in the n-dimensional 
space; and 

binary operation means for generating encrypted data by performing a binary operation using plaintext data 
and components of the vector rj generated by said vector generation means. 

18. The system according to claim 16, wherein 

said nonlinear function of said vector generation means is a function containing a fixed vector for spatial trans- 
lation of a rotation vector, and said vector generation means sequentially generating vectors such that the gen- 
erated vectors cannot match each other. 

19. The system according to claim 16, wherein 

said n-dimensional rotation matrix R n (& n ) used by said vector generation means is generated by a product of 
an n-dimensional rotation matrices generated by changing insertion places of (n-l)-dimensional small matrix 
corresponding to an (n-l)-dimensional rotation matrix R^ (ft n .i)- 

20. The system according to claim 16, wherein 

said binary operation (op) indicates that an exclusive logical sum operation (XOR) is performed after perform- 
ing a scrambling operation S, represented by 

op = XOR • S 

21. The system according to claim 16, wherein 

encrypted data Cj is generated by performing the binary operation on plaintext data Mj and a vector obtained 
by performing the binary operation on a j-th vector rj generated by a nonlinear function used by said vector gen- 
eration means and a check sum of Q-1 )-th generated encrypted data C^. 

22. A decryption system, comprising: 

vector generation means for generating vectors rj such that vectors rj sequentially generated using a nonlinear 
function containing at least an n-dimensional rotation matrix R n (£l n ) for rotating a vector defined in a closed 
area of an n(n>1)-dimensional space using each component of the vector and an angle £2 n depending on a 
parameter set P cannot match each other in the n-dimensional space; 

inverse binary operation means for receiving encrypted data, from an encrypting side, generated by performing 
a binary operation on plaintext data and components of a vector ^ generated by a method similar to a method 
of said vector generation means, and decrypting the plaintext data by performing an inverse binary operation 
corresponding to an inverse operation to the binary operation using the vector rj generated by said vector gen- 
eration means and the encrypted data. 

23. The system according to claim 21 , wherein 

said rotation matrix R n (£2 n ) is generated by said rotation matrix generation means according to claim 17. 

24. The system according to claim 21, wherein 

said nonlinear function used by said vector generation means is a function containing a fixed vector for spatial 
translation of a rotation vector, and said vector generation means sequentially generates vectors such that the 
vectors cannot match each other. 

25. The system according to claim 21 , wherein 



38 



EP 1 089 194 A2 



an n-dimensional rotation matrix R n (Q^) used by said vector generation means is generated by a product of 
an n-dimensional rotation matrices generated by changing insertion places of (n-l)-dimensional small matrix 
corresponding to an (n-l)-dimensionat rotation matrix R n .-| (ft n .i). 

26. The system according to claim 21 , wherein 

said binary operation (op) indicates that an exclusive logical sum operation (XOR) is performed after perform- 
ing a scrambling operation S, represented by 

op = XOR • S; and 

said inverse binary operation (op" 1 ) indicates that an inverse operation S" 1 inverse to the scrambling operation 
S is performed after performing an exclusive logical sum (XOR), represented by 

. op' 1 =S' 1 XOR 

27. The system according to claim 6, wherein 

a check sum of a (j-1 )-th received encrypted data Cj.-, is generated, the binary operation is performed using 
a result of the generation and a vector rj generated by the nonlinear function used by said vector generation 
means, then the inverse binary operation is performed using a vector generated by the binary operation and a 
j-th received encrypted data Cj, thereby decrypting plaintext data Mj. 

28. A vector generation system for use in a database management apparatus and an encryption/decryption system, 
wherein 

when an n-dimensional rotation matrix R for rotation of a vector defined in a closed area of an n(n>1 )-dimens- 
lonal space using each component of the vector and an angle depending on a parameter set P is generated, 
a plurality of rotation matrices of a smaller number of dimension are arranged as diagonal blocks, and pseudo- 
rotation matrices Q generated as 0 elements are used in remaining portions. 

29. The system according to claim 28, wherein 

when an n-dimensional rotation matrix R for rotation of a vector defined in a closed area of an n(n>1 ^dimen- 
sional space using each component of the vector and an angle depending on a parameter set P is generated, 
a plurality of rotation matrices of a smaller number of dimension are arranged as diagonal blocks, and a matrix 
P formed by performing a similar transform represented by P = S »Q-S T by a replacing matrix S on a 
pseudo-rotation matrices Q generated as 0 elements are used in remaining portions. 
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